Fraud detection and control in multi-tiered centralized processing

ABSTRACT

Detecting and controlling fraud in centralized processing is provided. A system receives data packets carrying electronic transactions, and clusters the electronic transactions based on an intermediary identifier of each of the electronic transactions to identify a first cluster and a second cluster. The system generates a first model for the first cluster and a second model for the second cluster. The system detects a fraudulent electronic transaction having a first source identifier. The system locks a first data structure to prevent transfer of a first resource in electronic transactions associated with the first source identifier. The system identifies source identifiers associated with the first cluster in a first tier. The system locks absent detection of the fraudulent electronic transaction in one or more electronic transaction associated with the source identifiers, the data structure corresponding to each of the source identifiers in the first cluster.

CROSS-REFERENCES TO RELATED APPLICATIONS

This application claims the benefit of priority under 35 U.S.C. § 120 asa continuation of U.S. patent application Ser. No. 16/175,237, filedOct. 30, 2018, which claims the benefit of priority under 35 U.S.C. §119 to U.S. Provisional Patent Application No. 62/692,157, filed Jun.29, 2018, each of which is hereby incorporated by reference herein inits entirety.

FIELD OF THE DISCLOSURE

The present solution is generally directed to detecting or controllingfraud in multi-tiered centralized processing. In particular, the presentsolution can identify fraudulent activity in a tier of a multi-tieredprocessing infrastructure, and automatically perform action to mitigateor prevent further fraudulent activity in the tier or other tiers in themulti-tiered processing infrastructure.

BACKGROUND OF THE DISCLOSURE

Entities can provide various types of electronic tax benefit accounts.These accounts can be susceptible to network attacks, threats, spoofing,or fraud. As the number and types of electronic tax benefit accountsincrease, it may be challenging to efficiently identify and stop thefraud.

BRIEF SUMMARY OF THE DISCLOSURE

The systems and methods of the present solution are directed to thetechnical problems and challenges of detecting and controlling networkattacks, threats, spoofing, or fraud on an electronic account. Thesystems and methods of the present solution are directed to theimprovement of the performance and operation of the electronictransaction based technology and platform and computing and networkingresource used by such electronic transaction based technology andplatform. In some aspects, the present solution improves and enhancesthe implemented functionality of the electronic transaction basedtechnology and platform implemented on, integrated with and inherentlytied to the processor, memory, network and computing resources of one ormore computing devices. In some aspects, the present solution moreeffectively performs the functionality of the electronic transactionbased technology and platform thereby making and causing more effectiveuse of the computing and networking resources to achieve the improvedfunctionality of the present solution. The same computing and networkresources used by such electronic transaction based technology andplatform will provide increased and improved functionality withimplementation of the present solution.

In some aspects, systems and methods of the present solution aredirected to fraud detection and controlled in centralized processing. Acentralized state processing system can process electronic transactionson behalf of multiple entities. Each of those entities may have separateresources used to process electronic transactions associated with childentities. Thus, the centralized state processing system may beprocessing transactions for multiple entities as well as child entitiesthat can be configured in a hierarchical tier structure. However, it maybe challenging to reliably and efficiently detect and control fraudulentactivity or transactions when the devices used to conduct or initiatethe transactions are grouped in different tiers because the fraudulentactivity may go undetected or unnoticed as it can be masked within atier. Thus, systems and methods of the present technical solution aredirected to detecting and control fraud in centralized state processing.

For example, the present solution can provide a centralized stateprocessing system configured with a clusterer, model generator, frauddetector, and packet blocker. This system can detect fraud based oncomparing debit card spending activity with historical spending activityat various segmentation levels (e.g., third-party administrator levels,employer levels). For example, the total spend for an employer having1000 individual employees may be more stable. This technology isdirected to protecting the employer, as opposed to just the individualemployee. The technology can stop all transactions for an employerresponsive to detecting fraud. Further, the technology can disable allfraudulent cards, as well as non-fraudulent cards, associated with thesame group level. Thus, by establishing models and monitoring on varioussegmentation levels, as opposed to just the individual transaction, thesystem can detect and control fraud at any segmentation level (e.g.,based on group activity), thereby intercepting fraud on the group levelthat may otherwise go undetected at the individual transaction level.

At least one aspect of the present disclosure is directed to a method offraud detection and control in centralized processing. The method can beperformed by a centralized state processing system having one or moreprocessors and memory. The method can include the centralized stateprocessing system receiving data packets carrying electronictransactions. Each of the electronic transactions can include a sourceidentifier corresponding to a data structure storing a resource, adestination identifier corresponding to a data structure to transfer theresource, and an intermediary identifier corresponding to an entity thatprovides at least a portion of the resource stored in the datastructure. The method can include the centralized state processingsystem clustering the source identifier of each of the electronictransactions based on the intermediary identifier of each of theelectronic transactions to identify a first cluster of sourceidentifiers in a first tier having a first intermediary identifier, anda second cluster of source identifiers in a second tier having a secondintermediary identifier. The method can include the centralized stateprocessing system generating a first model for the first cluster ofsource identifiers and a second model for the second cluster of sourceidentifiers. The method can include the centralized state processingsystem detecting, using the first model, a first source identifier andthe first intermediary identifier. The first source identifier cancorrespond to a first data structure storing a first resource. Themethod can include the centralized state processing system locking,responsive to detection of the fraudulent electronic transaction, thefirst data structure to prevent transfer of the first resource inelectronic transactions associated with the first source identifier. Themethod can include the centralized state processing system identifyingsource identifiers associated with the first cluster of sourceidentifiers in the first tier. The method can include the centralizedstate processing system locking, in the absence of detection of thefraudulent electronic transaction in one or more electronic transactionassociated with the plurality of source identifiers, the data structurecorresponding to each of the plurality of source identifiers in thefirst cluster of source identifiers.

In some embodiments, the method includes generating, based on a machinelearning model, the first model based on first historical electronictransactions associated the first tier that occurred during a firstpredetermined time interval absent the fraudulent electronictransaction. The method can include generating, based on the machinelearning model, the second model based on second historical electronictransactions associated with the second tier that occurred during asecond predetermined time interval absent the fraudulent electronictransaction. The second predetermined time interval is different fromthe first predetermined time interval, and the fraudulent electronictransaction is absent from the second predetermined time interval.

In some embodiments, the method includes selecting the firstpredetermined time interval absent the fraudulent electronic transactionto generate the first model based on a first characteristic of the firsttier. The method can include selecting the second predetermined timeinterval to generate the second model based on a second characteristicof the second tier.

In some embodiments, the method can include generating an electronictransaction model for the first source identifier. The method caninclude using the electronic transaction model to detect the fraudulentelectronic transaction having the first source identifier and the firstintermediary identifier, the first intermediary identifier.

In some embodiments, the method can include receiving a second pluralityof electronic transactions associated with the first tier. The methodcan include authorizing each of the second plurality of electronictransactions based on not detecting fraud on each of the secondplurality of electronic transactions. The method can include applying astatistical analysis to an aggregate of the second plurality ofelectronic transactions. The method can include detecting fraud in thefirst tier based on the statistical analysis applied to the aggregate ofthe second plurality of transactions. The fraud may not be detected oneach of the second plurality of electronic transactions when analyzedindependently. The method can include locking source identifiersassociated with the second plurality of electronic transactions.

In some embodiments, the method can include generating an alert based ona type of fraud detected by the centralized state processing system. Themethod can include transmitting the alert to a device associated withthe first intermediary identifier. In some embodiments, the intermediaryidentifier of each of the electronic transactions corresponds to anentity that configures or authorized the source identifier associatedwith each of the electronic transactions.

In some embodiments, locking the plurality of source identifiersassociated with the first tier that are not detected to be fraudulentcan include blocking packets carrying electronic transactions associatedwith one or more of the plurality of source identifiers. In someembodiments, locking the plurality of source identifiers associated withthe first tier that are not detected to be fraudulent can includepreventing completion of electronic transactions associated with one ormore of the plurality of source identifiers.

In some embodiments, the method can include requesting, subsequent tolocking the plurality of source identifiers associated with the firsttier, multi-factor authentication responsive to a request to conduct anelectronic transaction associated with one or more of the plurality ofsource identifiers that are locked.

At least one aspect is directed to a system to detect and control fraudin centralized processing. The system can include a centralized stateprocessing system having one or more processors and memory that executea fraud detector. The centralized state processing system (or frauddetector) can receive data packets carrying electronic transactions.Each of the electronic transactions can include a source identifiercorresponding to a data structure storing a resource, a destinationidentifier corresponding to a data structure to transfer the resource,and an intermediary identifier corresponding to an entity that providesat least a portion of the resource stored in the data structure. Thefraud detector can cluster the source identifier of each of theelectronic transactions based on the intermediary identifier of each ofthe electronic transactions to identify a first cluster of sourceidentifiers in a first tier having a first intermediary identifier, anda second cluster of source identifiers in a second tier having a secondintermediary identifier. The fraud detector can generate a first modelfor the first cluster of source identifiers and a second model for thesecond cluster of source identifiers. The fraud detector can detect,using the first model, a fraudulent electronic transaction having afirst source identifier and the first intermediary identifier. The firstsource identifier can correspond to a first data structure storing afirst resource. The fraud detector can lock, responsive to detection ofthe fraudulent electronic transaction, the first data structure toprevent transfer of the first resource in electronic transactionsassociated with the first source identifier. The fraud detector canidentify a plurality of source identifiers associated with the firstcluster of source identifiers in the first tier. The fraud detector canlock, absent detection of the fraudulent electronic transaction in oneor more electronic transaction associated with the plurality of sourceidentifiers, the data structure corresponding to each of the pluralityof source identifiers in the first cluster of source identifiers.

In some embodiments, the centralized state processing system cangenerate, based on a machine learning technique, the first model basedon first historical electronic transactions associated the first tierthat occurred during a first predetermined time interval absent thefraudulent electronic transaction. The centralized state processingsystem can generate, based on the machine learning technique, the secondmodel based on second historical electronic transactions associated thesecond tier that occurred during a second predetermined time intervalabsent the fraudulent electronic transaction. The second predeterminedtime interval may be absent the fraudulent electronic transaction anddifferent from the first predetermined time interval.

The centralized state processing system can select the firstpredetermined time interval that is absent the fraudulent electronictransaction to generate the first model based on a first characteristicof the first tier. The centralized state processing system can selectthe second predetermined time interval to generate the second modelbased on a second characteristic of the second tier.

The centralized state processing system can generate an electronictransaction model for the first source identifier. The centralized stateprocessing system can use the electronic transaction model to detect thefraudulent electronic transaction having the first source identifier andthe first intermediary identifier.

The centralized state processing system can receive a second pluralityof electronic transactions associated with the first tier. Thecentralized state processing system can authorize each of the secondplurality of electronic transactions based on not detecting fraud oneach of the second plurality of electronic transactions. The centralizedstate processing system can apply a statistical analysis to an aggregateof the second plurality of electronic transactions. The centralizedstate processing system can detect fraud in the first tier based on thestatistical analysis applied to the aggregate of the second plurality oftransactions. The fraud may not detected on each of the second pluralityof electronic transactions when analyzed independently. The centralizedstate processing system can lock source identifiers associated with thesecond plurality of electronic transactions.

The centralized state processing system can generate an alert based on atype of fraud detected by the centralized state processing system. Thecentralized state processing system can transmit the alert to a deviceassociated with the first intermediary identifier. In some cases, theintermediary identifier of each of the plurality of electronictransactions can correspond to an entity that configures or authorizedthe source identifier associated with each of the plurality ofelectronic transactions.

The centralized state processing system can block packets carryingelectronic transactions associated with one or more of the plurality ofsource identifiers. The centralized state processing system can preventcompletion of electronic transactions associated with one or more of theplurality of source identifiers. Subsequent to locking the plurality ofsource identifiers associated with the first tier, the centralized stateprocessing system can request multi-factor authentication responsive toa request to conduct an electronic transaction associated with one ormore of the plurality of source identifiers that are locked.

BRIEF DESCRIPTION OF THE DRAWINGS

The foregoing and other objects, aspects, features, and advantages ofthe disclosure will become more apparent and better understood byreferring to the following description taken in conjunction with theaccompanying drawings, in which:

FIG. 1A is a block diagram depicting an embodiment of a networkenvironment comprising client device in communication with serverdevice;

FIG. 1B is a block diagram depicting a cloud computing environmentcomprising a client device in communication with cloud serviceproviders;

FIGS. 1C and 1D are block diagrams depicting embodiments of computingdevices useful in connection with the methods and systems describedherein;

FIG. 2 is a block diagram depicting an embodiment of a system for frauddetection and control; and

FIG. 3 is a flow diagram depicting an embodiment of a method of frauddetection and control.

The features and advantages of the present invention will become moreapparent from the detailed description set forth below when taken inconjunction with the drawings, in which like reference charactersidentify corresponding elements throughout. In the drawings, likereference numbers generally indicate identical, functionally similar, orstructurally similar elements.

DETAILED DESCRIPTION

For purposes of reading the description of the various embodimentsbelow, the following descriptions of the sections of the specificationand their respective contents can be helpful:

Section A describes a network environment and computing environmentwhich can be useful for practicing embodiments described herein.

Section B describes embodiments of systems and methods for frauddetection and control in centralized processing.

A. Computing and Network Environment

Prior to discussing specific embodiments of the present solution, it canbe helpful to describe aspects of the operating environment as well asassociated system components (e.g., hardware elements) in connectionwith the methods and systems described herein. Referring to FIG. 1A, anembodiment of a network environment is depicted. In brief overview, thenetwork environment includes one or more clients 102 a-102 n (alsogenerally referred to as local machine(s) 102, client(s) 102, clientnode(s) 102, client machine(s) 102, client computer(s) 102, clientdevice(s) 102, endpoint(s) 102, or endpoint node(s) 102) incommunication with one or more servers 106 a-106 n (also generallyreferred to as server(s) 106, node 106, or remote machine(s) 106) viaone or more networks 104. In some embodiments, a client 102 has thecapacity to function as both a client node seeking access to resourcesprovided by a server and as a server providing access to hostedresources for other clients 102 a-102 n.

Although FIG. 1A shows a network 104 between the clients 102 and theservers 106, the clients 102 and the servers 106 can be on the samenetwork 104. In some embodiments, there are multiple networks 104between the clients 102 and the servers 106. In one of theseembodiments, a network 104′ (not shown) can be a private network and anetwork 104 can be a public network. In another of these embodiments, anetwork 104 can be a private network and a network 104′ a publicnetwork. In still another of these embodiments, networks 104 and 104′can both be private networks.

The network 104 can be connected via wired or wireless links. Wiredlinks can include Digital Subscriber Line (DSL), coaxial cable lines, oroptical fiber lines. The wireless links can include BLUETOOTH, Wi-Fi,Worldwide Interoperability for Microwave Access (WiMAX), an infraredchannel or satellite band. The wireless links can also include anycellular network standards used to communicate among mobile devices,including standards that qualify as 1G, 2G, 3G, or 4G. The networkstandards can qualify as one or more generation of mobiletelecommunication standards by fulfilling a specification or standardssuch as the specifications maintained by International TelecommunicationUnion. The 3G standards, for example, can correspond to theInternational Mobile Telecommunications-2000 (IMT-2000) specification,and the 4G standards can correspond to the International MobileTelecommunications Advanced (IMT-Advanced) specification. Examples ofcellular network standards include AMPS, GSM, GPRS, UMTS, LTE, LTEAdvanced, Mobile WiMAX, and WiMAX-Advanced. Cellular network standardscan use various channel access methods e.g. FDMA, TDMA, CDMA, or SDMA.In some embodiments, different types of data can be transmitted viadifferent links and standards. In other embodiments, the same types ofdata can be transmitted via different links and standards.

The network 104 can be any type and/or form of network. The geographicalscope of the network 104 can vary widely and the network 104 can be abody area network (BAN), a personal area network (PAN), a local-areanetwork (LAN), e.g. Intranet, a metropolitan area network (MAN), a widearea network (WAN), or the Internet. The topology of the network 104 canbe of any form and can include, e.g., any of the following:point-to-point, bus, star, ring, mesh, or tree. The network 104 can bean overlay network which is virtual and sits on top of one or morelayers of other networks 104′. The network 104 can be of any suchnetwork topology as known to those ordinarily skilled in the art capableof supporting the operations described herein. The network 104 canutilize different techniques and layers or stacks of protocols,including, e.g., the Ethernet protocol, the internet protocol suite(TCP/IP), the ATM (Asynchronous Transfer Mode) technique, the SONET(Synchronous Optical Networking) protocol, or the SDH (SynchronousDigital Hierarchy) protocol. The TCP/IP internet protocol suite caninclude application layer, transport layer, internet layer (including,e.g., IPv6), or the link layer. The network 104 can be a type of abroadcast network, a telecommunications network, a data communicationnetwork, or a computer network.

In some embodiments, the system can include multiple, logically-groupedservers 106. In one of these embodiments, the logical group of serverscan be referred to as a server farm 38 or a machine farm 38. In anotherof these embodiments, the servers 106 can be geographically dispersed.In other embodiments, a machine farm 38 can be administered as a singleentity. In still other embodiments, the machine farm 38 includes aplurality of machine farms 38. The servers 106 within each machine farm38 can be heterogeneous—one or more of the servers 106 or machines 106can operate according to one type of operating system platform (e.g.,WINDOWS NT, manufactured by Microsoft Corp. of Redmond, Wash.), whileone or more of the other servers 106 can operate on according to anothertype of operating system platform (e.g., Unix, Linux, or Mac OS X).

In one embodiment, servers 106 in the machine farm 38 can be stored inhigh-density rack systems, along with associated storage systems, andlocated in an enterprise data center. In this embodiment, consolidatingthe servers 106 in this way can improve system manageability, datasecurity, the physical security of the system, and system performance bylocating servers 106 and high performance storage systems on localizedhigh performance networks. Centralizing the servers 106 and storagesystems and coupling them with advanced system management tools allowsmore efficient use of server resources.

The servers 106 of each machine farm 38 do not need to be physicallyproximate to another server 106 in the same machine farm 38. Thus, thegroup of servers 106 logically grouped as a machine farm 38 can beinterconnected using a wide-area network (WAN) connection or ametropolitan-area network (MAN) connection. For example, a machine farm38 can include servers 106 physically located in different continents ordifferent regions of a continent, country, state, city, campus, or room.Data transmission speeds between servers 106 in the machine farm 38 canbe increased if the servers 106 are connected using a local-area network(LAN) connection or some form of direct connection. Additionally, aheterogeneous machine farm 38 can include one or more servers 106operating according to a type of operating system, while one or moreother servers 106 execute one or more types of hypervisors rather thanoperating systems. In these embodiments, hypervisors can be used toemulate virtual hardware, partition physical hardware, virtualizephysical hardware, and execute virtual machines that provide access tocomputing environments, allowing multiple operating systems to runconcurrently on a host computer. Native hypervisors can run directly onthe host computer. Hypervisors can include VMware ESX/ESXi, manufacturedby VMWare, Inc., of Palo Alto, Calif.; the Xen hypervisor, an opensource product whose development is overseen by Citrix Systems, Inc.;the HYPER-V hypervisors provided by Microsoft or others. Hostedhypervisors can run within an operating system on a second softwarelevel. Examples of hosted hypervisors can include VMware Workstation andVIRTUALBOX.

Management of the machine farm 38 can be de-centralized. For example,one or more servers 106 can comprise components, subsystems and modulesto support one or more management services for the machine farm 38. Inone of these embodiments, one or more servers 106 provide functionalityfor management of dynamic data, including techniques for handlingfailover, data replication, and increasing the robustness of the machinefarm 38. Each server 106 can communicate with a persistent store and, insome embodiments, with a dynamic store.

Server 106 can be a file server, application server, web server, proxyserver, appliance, network appliance, gateway, gateway server,virtualization server, deployment server, SSL VPN server, or firewall.In one embodiment, the server 106 can be referred to as a remote machineor a node. In another embodiment, a plurality of nodes 290 can be in thepath between any two communicating servers.

Referring to FIG. 1B, a cloud computing environment is depicted. A cloudcomputing environment can provide client 102 with one or more resourcesprovided by a network environment. The cloud computing environment caninclude one or more clients 102 a-102 n, in communication with the cloud108 over one or more networks 104. Clients 102 can include, e.g., thickclients, thin clients, and zero clients. A thick client can provide atleast some functionality even when disconnected from the cloud 108 orservers 106. A thin client or a zero client can depend on the connectionto the cloud 108 or server 106 to provide functionality. A zero clientcan depend on the cloud 108 or other networks 104 or servers 106 toretrieve operating system data for the client device. The cloud 108 caninclude back end platforms, e.g., servers 106, storage, server farms ordata centers.

The cloud 108 can be public, private, or hybrid. Public clouds caninclude public servers 106 that are maintained by third parties to theclients 102 or the owners of the clients. The servers 106 can be locatedoff-site in remote geographical locations as disclosed above orotherwise. Public clouds can be connected to the servers 106 over apublic network. Private clouds can include private servers 106 that arephysically maintained by clients 102 or owners of clients. Privateclouds can be connected to the servers 106 over a private network 104.Hybrid clouds 108 can include both the private and public networks 104and servers 106.

The cloud 108 can also include a cloud based delivery, e.g. Software asa Service (SaaS) 110, Platform as a Service (PaaS) 112, andInfrastructure as a Service (IaaS) 114. IaaS can refer to a user rentingthe use of infrastructure resources that are needed during a specifiedtime period. IaaS providers can offer storage, networking, servers orvirtualization resources from large pools, allowing the users to quicklyscale up by accessing more resources as needed. Examples of IaaS caninclude infrastructure and services (e.g., EG-32) provided by OVHHOSTING of Montreal, Quebec, Canada, AMAZON WEB SERVICES provided byAmazon.com, Inc., of Seattle, Wash., RACKSPACE CLOUD provided byRackspace US, Inc., of San Antonio, Tex., Google Compute Engine providedby Google Inc. of Mountain View, Calif., or RIGHTSCALE provided byRightScale, Inc., of Santa Barbara, Calif. PaaS providers can offerfunctionality provided by IaaS, including, e.g., storage, networking,servers or virtualization, as well as additional resources such as,e.g., the operating system, middleware, or runtime resources. Examplesof PaaS include WINDOWS AZURE provided by Microsoft Corporation ofRedmond, Wash., Google App Engine provided by Google Inc., and HEROKUprovided by Heroku, Inc. of San Francisco, Calif. SaaS providers canoffer the resources that PaaS provides, including storage, networking,servers, virtualization, operating system, middleware, or runtimeresources. In some embodiments, SaaS providers can offer additionalresources including, e.g., data and application resources. Examples ofSaaS include GOOGLE APPS provided by Google Inc., SALESFORCE provided bySalesforce.com Inc. of San Francisco, Calif., or OFFICE 365 provided byMicrosoft Corporation. Examples of SaaS can also include data storageproviders, e.g. DROPBOX provided by Dropbox, Inc. of San Francisco,Calif., Microsoft SKYDRIVE provided by Microsoft Corporation, GoogleDrive provided by Google Inc., or Apple ICLOUD provided by Apple Inc. ofCupertino, Calif.

Clients 102 can access IaaS resources with one or more IaaS standards,including, e.g., Amazon Elastic Compute Cloud (EC2), Open CloudComputing Interface (OCCI), Cloud Infrastructure Management Interface(CIMI), or OpenStack standards. Some IaaS standards can allow clientsaccess to resources over HTTP, and can use Representational StateTransfer (REST) protocol or Simple Object Access Protocol (SOAP).Clients 102 can access PaaS resources with different PaaS interfaces.Some PaaS interfaces use HTTP packages, standard Java APIs, JavaMailAPI, Java Data Objects (JDO), Java Persistence API (JPA), Python APIs,web integration APIs for different programming languages including,e.g., Rack for Ruby, WSGI for Python, or PSGI for Perl, or other APIsthat can be built on REST, HTTP, XML, or other protocols. Clients 102can access SaaS resources through the use of web-based user interfaces,provided by a web browser (e.g. GOOGLE CHROME, Microsoft INTERNETEXPLORER, or Mozilla Firefox provided by Mozilla Foundation of MountainView, Calif.). Clients 102 can also access SaaS resources throughsmartphone or tablet applications, including, e.g., Salesforce SalesCloud, or Google Drive app. Clients 102 can also access SaaS resourcesthrough the client operating system, including, e.g., Windows filesystem for DROPBOX.

In some embodiments, access to IaaS, PaaS, or SaaS resources can beauthenticated. For example, a server or authentication server canauthenticate a user via security certificates, HTTPS, or API keys. APIkeys can include various encryption standards such as, e.g., AdvancedEncryption Standard (AES). Data resources can be sent over TransportLayer Security (TLS) or Secure Sockets Layer (SSL).

The client 102 and server 106 can be deployed as and/or executed on anytype and form of computing device, e.g. a computer, network device orappliance capable of communicating on any type and form of network andperforming the operations described herein. FIGS. 1C and 1D depict blockdiagrams of a computing device 100 useful for practicing an embodimentof the client 102 or a server 106. As shown in FIGS. 1C and 1D, eachcomputing device 100 includes a central processing unit 121, and a mainmemory unit 122. As shown in FIG. 1C, a computing device 100 can includea storage device 128, an installation device 116, a network interface118, an I/O controller 123, display devices 124 a-124 n, a keyboard 126and a pointing device 127, e.g. a mouse. The storage device 128 caninclude, without limitation, an operating system, software, and asoftware of a centralized state processing system (CSPS) 120. As shownin FIG. 1D, each computing device 100 can also include additionaloptional elements, e.g. a memory port 103, a bridge 170, one or moreinput/output devices 130 a-130 n (generally referred to using referencenumeral 130), and a cache memory 140 in communication with the centralprocessing unit 121.

The central processing unit 121 is any logic circuitry that responds toand processes instructions fetched from the main memory unit 122. Inmany embodiments, the central processing unit 121 is provided by amicroprocessor unit, e.g.: those manufactured by Intel Corporation ofMountain View, Calif.; those manufactured by Motorola Corporation ofSchaumburg, Ill.; the ARM processor and TEGRA system on a chip (SoC)manufactured by Nvidia of Santa Clara, Calif.; the POWER7 processor,those manufactured by International Business Machines of White Plains,N.Y.; or those manufactured by Advanced Micro Devices of Sunnyvale,Calif. The computing device 100 can be based on any of these processors,or any other processor capable of operating as described herein. Thecentral processing unit 121 can utilize instruction level parallelism,thread level parallelism, different levels of cache, and multi-coreprocessors. A multi-core processor can include two or more processingunits on a single computing component. Examples of multi-core processorsinclude the AMD PHENOM IIX2, INTEL CORE i5 and INTEL CORE i7.

Main memory unit 122 can include one or more memory chips capable ofstoring data and allowing any storage location to be directly accessedby the microprocessor 121. Main memory unit 122 can be volatile andfaster than storage 128 memory. Main memory units 122 can be Dynamicrandom access memory (DRAM) or any variants, including static randomaccess memory (SRAM), Burst SRAM or SynchBurst SRAM (BSRAM), Fast PageMode DRAM (FPM DRAM), Enhanced DRAM (EDRAM), Extended Data Output RAM(EDO RAM), Extended Data Output DRAM (EDO DRAM), Burst Extended DataOutput DRAM (BEDO DRAM), Single Data Rate Synchronous DRAM (SDR SDRAM),Double Data Rate SDRAM (DDR SDRAM), Direct Rambus DRAM (DRDRAM), orExtreme Data Rate DRAM (XDR DRAM). In some embodiments, the main memory122 or the storage 128 can be non-volatile; e.g., non-volatile readaccess memory (NVRAM), flash memory non-volatile static RAM (nvSRAM),Ferroelectric RAM (FeRAM), Magnetoresistive RAM (MRAM), Phase-changememory (PRAM), conductive-bridging RAM (CBRAM),Silicon-Oxide-Nitride-Oxide-Silicon (SONOS), Resistive RAM (RRAM),Racetrack, Nano-RAM (NRAM), or Millipede memory. The main memory 122 canbe based on any of the above described memory chips, or any otheravailable memory chips capable of operating as described herein. In theembodiment shown in FIG. 1C, the processor 121 communicates with mainmemory 122 via a system bus 150 (described in more detail below). FIG.1D depicts an embodiment of a computing device 100 in which theprocessor communicates directly with main memory 122 via a memory port103. For example, in FIG. 1D the main memory 122 can be DRDRAM.

FIG. 1D depicts an embodiment in which the main processor 121communicates directly with cache memory 140 via a secondary bus,sometimes referred to as a backside bus. In other embodiments, the mainprocessor 121 communicates with cache memory 140 using the system bus150. Cache memory 140 typically has a faster response time than mainmemory 122 and is typically provided by SRAM, BSRAM, or EDRAM. In theembodiment shown in FIG. 1D, the processor 121 communicates with variousI/O devices 130 via a local system bus 150. Various buses can be used toconnect the central processing unit 121 to any of the I/O devices 130,including a PCI bus, a PCI-X bus, or a PCI-Express bus, or a NuBus. Forembodiments in which the I/O device is a video display 124, theprocessor 121 can use an Advanced Graphics Port (AGP) to communicatewith the display 124 or the I/O controller 123 for the display 124. FIG.1D depicts an embodiment of a computer 100 in which the main processor121 communicates directly with I/O device 130 b or other processors 121′via HYPERTRANSPORT, RAPIDIO, or INFINIBAND communications technology.FIG. 1D also depicts an embodiment in which local busses and directcommunication are mixed: the processor 121 communicates with I/O device130 a using a local interconnect bus while communicating with I/O device130 b directly.

A wide variety of I/O devices 130 a-130 n can be present in thecomputing device 100. Input devices can include keyboards, mice,trackpads, trackballs, touchpads, touch mice, multi-touch touchpads andtouch mice, microphones, multi-array microphones, drawing tablets,cameras, single-lens reflex camera (SLR), digital SLR (DSLR), CMOSsensors, accelerometers, infrared optical sensors, pressure sensors,magnetometer sensors, angular rate sensors, depth sensors, proximitysensors, ambient light sensors, gyroscopic sensors, or other sensors.Output devices can include video displays, graphical displays, speakers,headphones, inkjet printers, laser printers, and 3D printers.

Devices 130 a-130 n can include a combination of multiple input oroutput devices, including, e.g., Microsoft KINECT, Nintendo Wiimote forthe WII, Nintendo WII U GAMEPAD, or Apple IPHONE. Some devices 130 a-130n allow gesture recognition inputs through combining some of the inputsand outputs. Some devices 130 a-130 n provides for facial recognitionwhich can be utilized as an input for different purposes includingauthentication and other commands. Some devices 130 a-130 n provides forvoice recognition and inputs, including, e.g., Microsoft KINECT, SIRIfor IPHONE by Apple, Google Now or Google Voice Search.

Additional devices 130 a-130 n have both input and output capabilities,including, e.g., haptic feedback devices, touchscreen displays, ormulti-touch displays. Touchscreen, multi-touch displays, touchpads,touch mice, or other touch sensing devices can use differenttechnologies to sense touch, including, e.g., capacitive, surfacecapacitive, projected capacitive touch (PCT), in-cell capacitive,resistive, infrared, waveguide, dispersive signal touch (DST), in-celloptical, surface acoustic wave (SAW), bending wave touch (BWT), orforce-based sensing technologies. Some multi-touch devices can allow twoor more contact points with the surface, allowing advanced functionalityincluding, e.g., pinch, spread, rotate, scroll, or other gestures. Sometouchscreen devices, including, e.g., Microsoft PIXELSENSE orMulti-Touch Collaboration Wall, can have larger surfaces, such as on atable-top or on a wall, and can also interact with other electronicdevices. Some I/O devices 130 a-130 n, display devices 124 a-124 n orgroup of devices can be augment reality devices. The I/O devices can becontrolled by an I/O controller 123 as shown in FIG. 1C. The I/Ocontroller can control one or more I/O devices, such as, e.g., akeyboard 126 and a pointing device 127, e.g., a mouse or optical pen.Furthermore, an I/O device can also provide storage and/or aninstallation medium 116 for the computing device 100. In still otherembodiments, the computing device 100 can provide USB connections (notshown) to receive handheld USB storage devices. In further embodiments,an I/O device 130 can be a bridge between the system bus 150 and anexternal communication bus, e.g. a USB bus, a SCSI bus, a FireWire bus,an Ethernet bus, a Gigabit Ethernet bus, a Fibre Channel bus, or aThunderbolt bus.

In some embodiments, display devices 124 a-124 n can be connected to I/Ocontroller 123. Display devices can include, e.g., liquid crystaldisplays (LCD), thin film transistor LCD (TFT-LCD), blue phase LCD,electronic papers (e-ink) displays, flexile displays, light emittingdiode displays (LED), digital light processing (DLP) displays, liquidcrystal on silicon (LCOS) displays, organic light-emitting diode (OLED)displays, active-matrix organic light-emitting diode (AMOLED) displays,liquid crystal laser displays, time-multiplexed optical shutter (TMOS)displays, or 3D displays. Examples of 3D displays can use, e.g.stereoscopy, polarization filters, active shutters, or autostereoscopy.Display devices 124 a-124 n can also be a head-mounted display (HMD). Insome embodiments, display devices 124 a-124 n or the corresponding I/Ocontrollers 123 can be controlled through or have hardware support forOPENGL or DIRECTX API or other graphics libraries.

In some embodiments, the computing device 100 can include or connect tomultiple display devices 124 a-124 n, which each can be of the same ordifferent type and/or form. As such, any of the I/O devices 130 a-130 nand/or the I/O controller 123 can include any type and/or form ofsuitable hardware, software, or combination of hardware and software tosupport, enable or provide for the connection and use of multipledisplay devices 124 a-124 n by the computing device 100. For example,the computing device 100 can include any type and/or form of videoadapter, video card, driver, and/or library to interface, communicate,connect or otherwise use the display devices 124 a-124 n. In oneembodiment, a video adapter can include multiple connectors to interfaceto multiple display devices 124 a-124 n. In other embodiments, thecomputing device 100 can include multiple video adapters, with eachvideo adapter connected to one or more of the display devices 124 a-124n. In some embodiments, any portion of the operating system of thecomputing device 100 can be configured for using multiple displays 124a-124 n. In other embodiments, one or more of the display devices 124a-124 n can be provided by one or more other computing devices 100 a or100 b connected to the computing device 100, via the network 104. Insome embodiments software can be designed and constructed to use anothercomputer's display device as a second display device 124 a for thecomputing device 100. For example, in one embodiment, an Apple iPad canconnect to a computing device 100 and use the display of the device 100as an additional display screen that can be used as an extended desktop.One ordinarily skilled in the art will recognize and appreciate thevarious ways and embodiments that a computing device 100 can beconfigured to have multiple display devices 124 a-124 n.

Referring again to FIG. 1C, the computing device 100 can comprise astorage device 128 (e.g. one or more hard disk drives or redundantarrays of independent disks) for storing an operating system or otherrelated software, and for storing application software programs such asany program related to the software 120 for the centralized stateprocessing system. Examples of storage device 128 include, e.g., harddisk drive (HDD); optical drive including CD drive, DVD drive, orBLU-RAY drive; solid-state drive (SSD); USB flash drive; or any otherdevice suitable for storing data. Some storage devices can includemultiple volatile and non-volatile memories, including, e.g., solidstate hybrid drives that combine hard disks with solid state cache. Somestorage device 128 can be non-volatile, mutable, or read-only. Somestorage device 128 can be internal and connect to the computing device100 via a bus 150. Some storage device 128 can be external and connectto the computing device 100 via a I/O device 130 that provides anexternal bus. Some storage device 128 can connect to the computingdevice 100 via the network interface 118 over a network 104, including,e.g., the Remote Disk for MACBOOK AIR by Apple. Some client devices 100may not require a non-volatile storage device 128 and can be thinclients or zero clients 102. Some storage device 128 can also be used asan installation device 116, and can be suitable for installing softwareand programs. Additionally, the operating system and the software can berun from a bootable medium, for example, a bootable CD, e.g. KNOPPIX, abootable CD for GNU/Linux that is available as a GNU/Linux distributionfrom knoppix.net.

Client device 100 can also install software or application from anapplication distribution platform. Examples of application distributionplatforms include the App Store for iOS provided by Apple, Inc., the MacApp Store provided by Apple, Inc., GOOGLE PLAY for Android OS providedby Google Inc., Chrome Webstore for CHROME OS provided by Google Inc.,and Amazon Appstore for Android OS and KINDLE FIRE provided byAmazon.com, Inc. An application distribution platform can facilitateinstallation of software on a client device 102. An applicationdistribution platform can include a repository of applications on aserver 106 or a cloud 108, which the clients 102 a-102 n can access overa network 104. An application distribution platform can includeapplication developed and provided by various developers. A user of aclient device 102 can select, purchase and/or download an applicationvia the application distribution platform.

Furthermore, the computing device 100 can include a network interface118 to interface to the network 104 through a variety of connectionsincluding, but not limited to, standard telephone lines LAN or WAN links(e.g., 802.11, T1, T3, Gigabit Ethernet, Infiniband), broadbandconnections (e.g., ISDN, Frame Relay, ATM, Gigabit Ethernet,Ethernet-over-SONET, ADSL, VDSL, BPON, GPON, fiber optical includingFiOS), wireless connections, or some combination of any or all of theabove. Connections can be established using a variety of communicationprotocols (e.g., TCP/IP, Ethernet, ARCNET, SONET, SDH, Fiber DistributedData Interface (FDDI), IEEE 802.11a/b/g/n/ac CDMA, GSM, WiMax and directasynchronous connections). In one embodiment, the computing device 100communicates with other computing devices 100′ via any type and/or formof gateway or tunneling protocol e.g. Secure Socket Layer (SSL) orTransport Layer Security (TLS), or the Citrix Gateway Protocolmanufactured by Citrix Systems, Inc. of Ft. Lauderdale, Fla. The networkinterface 118 can comprise a built-in network adapter, network interfacecard, PCMCIA network card, EXPRESSCARD network card, card bus networkadapter, wireless network adapter, USB network adapter, modem or anyother device suitable for interfacing the computing device 100 to anytype of network capable of communication and performing the operationsdescribed herein.

A computing device 100 of the sort depicted in FIGS. 1B and 1C canoperate under the control of an operating system, which controlsscheduling of tasks and access to system resources. The computing device100 can be running any operating system such as any of the versions ofthe MICROSOFT WINDOWS operating systems, the different releases of theUnix and Linux operating systems, any version of the MAC OS forMacintosh computers, any embedded operating system, any real-timeoperating system, any open source operating system, any proprietaryoperating system, any operating systems for mobile computing devices, orany other operating system capable of running on the computing deviceand performing the operations described herein. Typical operatingsystems include, but are not limited to: WINDOWS 2000, WINDOWS Server2012, WINDOWS CE, WINDOWS Phone, WINDOWS XP, WINDOWS VISTA, and WINDOWS7, WINDOWS RT, and WINDOWS 8 all of which are manufactured by MicrosoftCorporation of Redmond, Wash.; MAC OS and iOS, manufactured by Apple,Inc. of Cupertino, Calif.; and Linux, a freely-available operatingsystem, e.g. Linux Mint distribution (“distro”) or Ubuntu, distributedby Canonical Ltd. of London, United Kingdom; or Unix or other Unix-likederivative operating systems; and Android, designed by Google, ofMountain View, Calif., among others. Some operating systems, including,e.g., the CHROME OS by Google, can be used on zero clients or thinclients, including, e.g., CHROMEBOOKS.

The computer system 100 can be any workstation, telephone, desktopcomputer, laptop or notebook computer, netbook, ULTRABOOK, tablet,server, handheld computer, mobile telephone, smartphone or otherportable telecommunications device, media playing device, a gamingsystem, mobile computing device, or any other type and/or form ofcomputing, telecommunications or media device that is capable ofcommunication. The computer system 100 has sufficient processor powerand memory capacity to perform the operations described herein. In someembodiments, the computing device 100 can have different processors,operating systems, and input devices consistent with the device. TheSamsung GALAXY smartphones, e.g., operate under the control of Androidoperating system developed by Google, Inc. GALAXY smartphones receiveinput via a touch interface.

In some embodiments, the computing device 100 is a gaming system. Forexample, the computer system 100 can comprise a PLAYSTATION 3, orPERSONAL PLAYSTATION PORTABLE (PSP), or a PLAYSTATION VITA devicemanufactured by the Sony Corporation of Tokyo, Japan, a NINTENDO DS,NINTENDO 3DS, NINTENDO WII, or a NINTENDO WII U device manufactured byNintendo Co., Ltd., of Kyoto, Japan, an XBOX 360 device manufactured bythe Microsoft Corporation of Redmond, Wash.

In some embodiments, the computing device 100 is a digital audio playersuch as the Apple IPOD, IPOD Touch, and IPOD NANO lines of devices,manufactured by Apple Computer of Cupertino, Calif. Some digital audioplayers can have other functionality, including, e.g., a gaming systemor any functionality made available by an application from a digitalapplication distribution platform. For example, the IPOD Touch canaccess the Apple App Store. In some embodiments, the computing device100 is a portable media player or digital audio player supporting fileformats including, but not limited to, MP3, WAV, M4A/AAC, WMA ProtectedAAC, AIFF, Audible audiobook, Apple Lossless audio file formats and.mov, .m4v, and .mp4 MPEG-4 (H.264/MPEG-4 AVC) video file formats.

In some embodiments, the computing device 100 is a tablet e.g. the IPADline of devices by Apple; GALAXY TAB family of devices by Samsung; orKINDLE FIRE, by Amazon.com, Inc. of Seattle, Wash. In other embodiments,the computing device 100 is an eBook reader, e.g. the KINDLE family ofdevices by Amazon.com, or NOOK family of devices by Barnes & Noble, Inc.of New York City, N.Y.

In some embodiments, the communications device 102 includes acombination of devices, e.g. a smartphone combined with a digital audioplayer or portable media player. For example, one of these embodimentsis a smartphone, e.g. the IPHONE family of smartphones manufactured byApple, Inc.; a Samsung GALAXY family of smartphones manufactured bySamsung, Inc.; or a Motorola DROID family of smartphones. In yet anotherembodiment, the communications device 102 is a laptop or desktopcomputer equipped with a web browser and a microphone and speakersystem, e.g. a telephony headset. In these embodiments, thecommunications devices 102 are web-enabled and can receive and initiatephone calls. In some embodiments, a laptop or desktop computer is alsoequipped with a webcam or other video capture device that enables videochat and video call.

In some embodiments, the status of one or more machines 102, 106 in thenetwork 104 are monitored, generally as part of network management. Inone of these embodiments, the status of a machine can include anidentification of load information (e.g., the number of processes on themachine, CPU and memory utilization), of port information (e.g., thenumber of available communication ports and the port addresses), or ofsession status (e.g., the duration and type of processes, and whether aprocess is active or idle). In another of these embodiments, thisinformation can be identified by a plurality of metrics, and theplurality of metrics can be applied at least in part towards decisionsin load distribution, network traffic management, and network failurerecovery as well as any aspects of operations of the present solutiondescribed herein. Aspects of the operating environments and componentsdescribed above will become apparent in the context of the systems andmethods disclosed herein.

B. Fraud Detection and Control in Centralized Processing

Systems and methods of the present solution are directed to frauddetection and controlled in centralized processing. A centralized stateprocessing system can process electronic transactions on behalf ofmultiple entities. Each of those entities may have separate resourcesused to process electronic transactions associated with child entities.Thus, the centralized state processing system may be processingtransactions for multiple entities as well as child entities that can beconfigured in a hierarchical tier structure. However, it may bechallenging to reliably and efficiently detect and control fraudulentactivity or transactions when the devices used to conduct or initiatethe transactions are grouped in different tiers because the fraudulentactivity may go undetected or unnoticed as it can be masked within atier. Thus, systems and methods of the present technical solution aredirected to detecting and control fraud in centralized state processing.

For example, the present solution can provide a centralized stateprocessing system configured with a clusterer, model generator, frauddetector, and packet blocker. This system can detect fraud based oncomparing debit card spending activity with historical spending activityat various segmentation levels (e.g., third-party administrator levels,employer levels). For example, the total spend for an employer having1000 individual employees may be more stable. This technology isdirected to protecting the employer, as opposed to just the individualemployee. The technology can stop all transactions for an employerresponsive to detecting fraud. Further, the technology can disable allfraudulent cards, as well as non-fraudulent cards, associated with thesame group level. Thus, by establishing models and monitoring on varioussegmentation levels, as opposed to just the individual transaction, thesystem can detect and control fraud at any segmentation level (e.g.,based on group activity), thereby intercepting fraud on the group levelthat may otherwise go undetected at the individual transaction level.

For example, Employer A may be associated with 1000 participantcomputing devices, w which can correspond to 1000 employees. TheEmployer A may be affiliated with a Third-Party Administrator Device A(“TPA A”). One or more of the participant computing devices may initiatea transaction at one or more point-of-sale terminals (“POS terminal”).The transaction, however, may be approved on an individual basis becausethe transaction might occur at a POS terminal that was previously usedby the one or more participant computing devices to conduct atransaction, as well as for a transaction amount that may have beenwithin modeled transaction amount. Thus, using models generated forindividual participant computing devices, the system may not detectfraudulent behavior on any of the 1000 participant computing devices.

However, the system can also generate a model for a segmentation levelor cluster. A cluster can refer to a group of participant devices thatare linked or associated with one another. The cluster can refer to agroup of participant devices that are grouped based on a similarcharacteristic (e.g., geography or type of plan). The cluster can referto a group of participant devices that are grouped based on beingassociated with a same employer (e.g., Employer A). The cluster canrefer to a group of employers linked or associated with the same TPA.Thus, the system can generate one or more clusters based on one or moresegmentation levels.

The system can generate a model for the one or more clusters. The systemcan generate the model based on historical activity for the cluster. Forexample, the system can look at total spend per week for a segmentationlevel (e.g., Employer A). The system can then normalize for certainfactors (e.g., big enrollment). The system can then analyze currenttransaction activity and compare it with the model to detect fraud. Thesystem can detect the fraud based on multiple transactions in thecluster that may have occurred within a time period. The system candetect that fraud occurred in the cluster, and then identify thefraudulent transactions associated with the individual participantdevices in the cluster. For example, if all participant devices arespending only $25 more per week, the system may not normally flag theseindividual transactions are fraudulent. However, if all participantdevices associated with Employer A are spending $25 more per week, thenthe system may detect this as fraud on the Employer A segmentationlevel.

Responsive to detecting fraud on the segmentation level, the system canblock, lock, disable or otherwise prevent further fraudulenttransactions from occurring with the participant devices associated withthe fraudulent transaction. However, to further protect the clusterlevel (e.g., Employer A or TPA A), the system can block, lock, disableor otherwise prevent further fraudulent transactions from occurring fromany participant device associated with the cluster level, regardless ofwhether or not the participant devices was associated with a fraudulenttransaction.

Thus, by generating models on the cluster level and detecting fraudbased on the cluster, the present technical solution can moreefficiently detect fraud that might otherwise go undetected, therebyproviding a technical improvement to a centralized state processingsystem. For example, a system analyzing fraud using a model generatedfor an individual participant device may take longer to detect fraud, ascompared to a system using models generated for a cluster because thefraudulent or abnormal pattern may be more efficiently detected on acluster-level as opposed to an individual level. Further, the presenttechnical solution, by more efficiently detecting fraud that mightotherwise go undetected, can reduce resource consumption by blocking orprevent fraudulent network activity or the transmission of fraudulentnetwork data packets, thereby reducing network bandwidth usage. Further,by disabling both fraudulent and non-fraudulent devices on a clusterlevel, the system can reduce the resource utilization that may haveotherwise been consumed to correct or reverse the fraud by preventingfraudulent transactions from ever occurring on certain devices.

Referring now to FIG. 2, a block diagram depicting an embodiment of asystem 200 comprising a centralized state processing system is shown. Inbrief overview, the system 200 includes a centralized state processingsystem 120 (“CSPS”) that can receive and/or transmit data via a network104 with participant computing devices 232 a-n, third-partyadministrator devices 240 a-n, employer devices 238 a-n, point-of-saleterminals 236 a-n, or heterogeneous electronic funding sources 234 a-n.The CSPS 120 can include a communications interface 204 that isconfigured with one or more communications ports, applicationprogramming interfaces, network protocols (e.g., TCP/IP), authenticationprotocols, or security protocols (e.g., SSL). The CSPS 120 can include,interface with, or otherwise access a clusterer 206 that generates oridentifies a cluster or segmentation level in which to group electronictransactions. The CSPS 120 can include, interface with, or otherwiseaccess a model generator 208 that generates one or more models usinghistorical transaction information for the clusters generated oridentified by the clusterer 206. The CSPS 120 can include, interfacewith, or otherwise access a fraud detector 210 that detects fraudulenttransaction activity associated with a cluster. The CSPS 120 caninclude, interface with, or otherwise access a packet blocker 212 thatlocks or disables accounts associated with the cluster in which fraud isdetected in order to prevent further packets carrying electronictransactions from either being sent or processed. The CSPS 120 caninclude one or more databases or data structure that store informationto facilitate the systems and methods of the present solution, such asdatabase 214. The database 214 can include data structures, files orotherwise categorize information into different clusters or tiers. Forexample, the clusterer 206 can cluster or group transactions or accountsinto two tiers: tier 1 (216) and tier 2 (224). The data structurecorresponding to tier 1 (216) can include a first source identifier datastructure 218, first intermediary device identifier 220, a firstresource 222, and a first model 242. The data structure corresponding totier 2 (224) can include a second source identifier data structure 226,second intermediary device identifier 228, a second resource 230, and asecond model 244. The database 214 can also include one or morepolicies, profiles, merchant information, or historical transactionactivity.

The system 120, communications interface 204, clusterer 206, modelgenerator 208, fraud detector 210, and packet blocker 212 can eachinclude one or more processing units or other logic devices such asprogrammable logic array engines, modules, or circuitry designed andconstructed to facilitate managing security on a network infrastructure.The CSPS 120 can include the components 100 shown in FIG. 1C or FIG. 1D,or be configured to operate as a service in cloud 108. The CSPS 120 caninclude or interact with one or more servers 106 a-n and clients 102a-n. The participant computing devices 232 a-n, POS terminals 236 a-n,employer devices 238 a-n, TPA devices 240 a-n, or heterogeneouselectronic funding sources 234 a-n can each include one or morecomponent or functionality of client computing devices 102 a-n or server106 a-n.

In some embodiments, the CSPS 120 can employ a multitier architecturesuch as a client-server architecture in which presentation, applicationprocessing, and data management functions are logically or physicallyseparated. The presentation tier, or front-end, can include thecommunications interface 204 that can serve static content or dynamiccontent to be rendered by the client 102 (e.g., by a web browserexecuting on client 102). The presentation tier or web server caninteract or communicate with the application tier to obtain data toprovide to the client 102, computing devices, 232 a-n, TPA devices 240a-n, employer devices 238 a-n, funding sources 234 a-n, or POS terminals120 a-n. The application tier can include the clusterer 206, modelgenerator 208, fraud detector 210, and packet blocker 212 that controlsthe system's functionality and performs additional processing oranalysis on data. The application tier can interact with the data tierto obtain the transaction data. The data tier can include datapersistence mechanisms (database servers, file shares, etc.) and thedata access layer that encapsulates the persistence mechanisms andexposes the data. The data tier can include databases 214. The data tiercan include an application programming interface (API) to theapplication tier. The databases 214 can include stored procedures (e.g.,SQL statements) that perform tasks with respect the stored data.

The system 200 can include, access, or otherwise communicate with one ormore third-part administrator (“TPA”) devices 240 a-n. A TPA can referto an organization that processes insurance claims or certain aspects ofemployee benefit plans for a separate entity. A TPA can refer toorganizations within the insurance industry which “administer” otherservices such as Underwriting or Customer Service. In some cases, a TPAcan handle the claims processing for employers 238 a-n that self-insuresits employees 232 a-n. Thus, the employers 238 a-n are acting as aninsurance company and underwrites the risk. The risk of loss can remainswith the employer 238 a-n, and not with the TPA 240 a-n. An insurancecompany may also use a TPA 240 a-n to manage its claims processing,provider networks, utilization review, or membership functions. The TPA240 a-n can handle many aspects of other employee benefit plans such asthe processing of retirement plans and flexible spending accounts. Manyemployee benefit plans have highly technical aspects and difficultadministration that can make using a specialized entity such as a TPA240 a-n more cost effective than doing the same processing in house.

In the health care industry, for example, TPAs 240 a-n can administerall or a portion of the claims process. TPAs 240 a-n can be contractedby a health insurer or self-insuring companies to administer services,including claims administration, premium collection, enrollment andother administrative activities. For example, an employer 238 a-n maychoose to help finance the health care costs of its employees 232 a-n bycontracting with a TPA 240 a-n to administer many aspects of aself-funded health care plan.

Administrators, such as companies or health insurance providers, canestablish electronic benefits accounts such as flexible spendingaccounts or healthcare tax benefit accounts (e.g., health savingsaccounts) for participants such as employees, subscribers, or customers.These electronic benefits accounts can provide a tax advantage for theparticipants. Administrators that establish or provide electronic taxbenefits accounts for various participants of those accounts can utilizebackend information technology infrastructure to process, analyze,monitor or manage the electronic tax benefits accounts. The tax benefitmanagement information technology infrastructure can be configured withprocessing rules that are applied to electronic transactions. Electronictransactions can include allocating funds to the tax benefit account,withdrawing funds from the tax benefit account, making a purchase withfunds from the tax benefit account, modifying a profile of the taxbenefit account, or submitting a claim. The management informationtechnology infrastructure can apply one or more rules to each type oftransaction to determine an event. As the types of transactions andrules increase in number and complexity, the types and events can alsoincrease in number and complexity, thereby consuming an increasingamount of resources of the information technology infrastructure. Forexample, events such as a card denial increases the number oftransaction attempts, communications with the server, account resets,profile corruption, or resources consumed by a point-of-sale deviceinitiating the transaction.

The employer devices 238 a-n can refer to a device used by an entity ororganization that is associated with the participant computing devices232 a-n of the employees of the employer. For example, Employer A can bea software company that has a thousand employees associated with theparticipant computing devices 232 a-n. The employees can obtain healthcare or other services, and pay for those services at a POS terminal 236a-n of the service provider.

Data packets can be generated by a device 240 a-n at an administrator.The device can refer to an administrator device (“administrator device”)such as administrator device 240 a-n. The administrator device 240 a-nmay monitor data from the various electronic benefits accountsassociated with the administrator. The accounts associated with theadministrator may be accounts that are managed or maintained by theadministrator. The administrator may be a point of contact for customersor participants of the associated accounts. In some embodiments, theclient 102, which may correspond to an individual participant of theadministrator's electronic benefits account, may access the account andperform a number of actions with respect to the account, such as, fundthe account (e.g., via heterogeneous electronic funding sources 234a-n), withdraw from the account, charge the account, and the like. Theadministrator of the electronic benefits account, as the caretaker ofthe account, may adjust parameters associated with the account, such as,monthly fees, minimum running balances, etc. At the same time, the CSPS120 may monitor the data, parameters, and performance of the account andstore the information under an administrator profile associated with theadministrator of the account. The CSPS 120 may receive the dataassociated with the individual participants and their individualaccounts from the client's 102 and the parameter data associated withthe accounts from the administrator device 240 a-n via the network 104.

An administrator device 240 a-n can be the place where an administratormay perform various functions of the administrator, for example,functions associated with electronic benefits accounts of theadministrator. The administrator device 240 a-n is the point at anadministrator that may send requests or transaction information to theCSPS 120 for further processing or data collection. The administratordevice 240 a-n may also be configured to transmit an identifierassociated with the administrator corresponding to the administratordevice 240 a-n for identification by the CSPS 120. In some embodiments,the receiving of the identifier initiates a fraud detection and controlprocess.

The administrator device 240 a-n can include hardware and software.Administrators can utilize scanners, EFTPOS terminals, touch screens andany other wide variety of hardware and software available for use withadministrator device 240 a-n. For example, an administrator can usesoftware to make adjustments to parameters associated with theirelectronic benefits accounts.

The administrator device 240 a-n can include advanced features to caterto different functionality, such as account participant forecasts andestimates, account simulation, communication with participants ofaccounts, performing actions associated with individual participantaccounts (e.g., freezing an account), collecting data from one or moreof the participant accounts, etc., all built into the administratorsoftware. The administrator device 240 a-n can be configured to executeuser-input commands with respect to the electronic benefits accounts ofthe administrator.

In some embodiments, the communication interface 204 can receive datapackets. The data packets can carry one or more electronic transactions.In some cases, the data packets can carry multiple electronictransactions. In some cases, the data packets can be received over aduration of time. The electronic transactions can occur over theduration of time. In some cases, the electronic transaction informationcarried via the data packets can be received by the CSPS 120 inreal-time, such as responsive to the occurrence of the electronictransaction. In some cases, the CSPS 120 can receive the informationabout the electronic transactions in a bulk upload or batch upload.Receiving the information about the electronic transaction sin a bulkupload or batch upload can reduce computing resource utilization ornetwork bandwidth usage, thereby improving the efficiency of the CSPS120. For example, the provider of the information about the electronictransactions can compress the information and generate data packetscarrying the compressed information in a single batch or bulktransmission, thereby reducing network bandwidth utilization.

The electronic transaction information carried via the data packets caninclude information that facilitates performance of the electronictransaction, or analyzing the electronic transaction to detectfraudulent activity. The electronic transaction can a source identifierpointing to a data structure storing a resource, a destinationidentifier corresponding to a data structure to transfer the resource,and an intermediary identifier corresponding to an entity that providesat least a portion of the resource stored in the data structure. Thesource identifier can refer to an account identifier that contains theresource being transferred from a source to a destination. The sourceidentifier can refer to an account of an employee of an employer. Thesource identifier can correspond to an account associated with aparticipant computing device 232. The resource can correspond to anelectronic resource or physical resource being represented in anelectronic form. The resource can refer to or include a token, currency,points, or other resource that can be transferred from the source to adestination. The destination identifier an correspond to an entity ororganization receiving the resource. The destination identifier cancorrespond to a provider of a service or good that is receiving theresource in return for performing the service or providing the good tothe employee. The intermediary identifier can correspond to an entitythat stores, holds, manages, provides, or maintains the resource. Theintermediary identifier can refer to or correspond to the employerdevice 238 a-n, a heterogeneous electronic funding source 234 a-n or TPA240 a-n.

An identifier corresponding to a data structure can refer to or includean identifier pointing to a data structure, such as a memory pointer.The identifier corresponding to a data structure can refer to or includean identifier used by a lookup to retrieve, identify, access or selectthe data structure. The identifier can label the data structure. Theidentifier can be mapped to the data structure.

The data packets or electronic transaction can be generated by a deviceat a merchant to conduct an electronic transaction at the merchant. Thedevice can refer to a point of sale terminal (“POS terminal”) such asPOS terminal 236 a-n. In some embodiments, the POS terminals 236 a-n arethe devices at which retail transactions are initiated. The POSterminals 236 a-n are the points at which a customer of the entity ormerchant makes a payment to the merchant in exchange for goods orservices. At the point of sale the merchant can calculate the amountowed by the customer and provide options for the customer to makepayment. The merchant can also issue a receipt for the transaction.

The POS terminal 236 a-n can include hardware and software. Merchantscan utilize weighing scales, scanners, electronic and manual cashregisters, EFTPOS terminals, touch screens and any other wide variety ofhardware and software available for use with POS terminal 236 a-n. Forexample, a pharmacy can use software to customize the item or servicesold when a customer has a special medication request.

The POS terminal 236 a-n can include advanced features to cater todifferent functionality, such as inventory management, CRM, financials,warehousing, flexible spending account transactions, etc., all builtinto the POS software. The POS terminal 236 a-n can be configured toconduct a transactions using a debit card, multipurse card, Bluetooth,near field communications, smartphone, smartwatch, mobiletelecommunications computing device, wearable communications, RFID, etc.

The CSPS 120 can include a communications interface 204. Thecommunications interface 204 can execute on one or more processors of aserver. The communications interface 204 can include one or morecommunications ports and be configured with one or more networkprotocols. Communications ports can include, e.g., network ports,Ethernet ports, WAN ports, I/O ports, or software ports. Thecommunication port can be configured with a network protocol such asTransport Layer Protocols such as TCP/IP or UDP that are configured toreceive and process data packets received via a computer network. Theport can include or be associated with an IP address of a host and aprotocol type of the communication.

The communications interface 204 can receive data packets generated bythe POS terminal 236 a-n responsive to an electronic transactionresulting in transmission of a request to adjudicate a single claimagainst an electronic benefits account. In some embodiments, the requestto adjudicate a single claim against the electronic benefits account istransmitted responsive to a user swiping a payment card at the POSterminal. The payment card can include identifying information that canbe used to identify an account identifier of the electronic benefitaccount (e.g., source identifier) against which to adjudicate the claim.The data packets can include header information and payload information.Multiple data packets can be strung together in a sequence. The headerinformation can refer to TCP/IP headers that include fields such assource port, destination port, sequence number, acknowledge number,window size, etc. The payload information of the data packet can includeinformation related to the electronic transaction, the request toadjudicate a single claim, the merchant, or the customer. The CSPS 120can receive the data packet with header information and payloadinformation and process the packets to obtain information for furtherprocessing. The payload can include data identifying the POS terminal236 a-n (e.g., POS terminal 236 a) at which the electronic transactionoccurred, the merchant providing the POS terminal 236 a, a merchantcategory of the merchant, financial information associated with the userperforming the electronic transaction (e.g., via a card swipe or othercommunication technique used to perform the electronic transaction), anamount of expenditures of the electronic transaction, and otherinformation facilitating adjudication of the single claim. The datapackets (e.g., via the payload) can include the request to adjudicatethe single claim. The request can specify the electronic benefitsaccount for adjudication. The request can specify information foridentifying a policy for performing the adjudication. The payload caninclude data identifying a merchant category of the merchant, anelectronic benefits account, and a monetary amount of the electronictransaction.

The data packets can carry data identifying a merchant or merchantcategory of the merchant. In some embodiments, the data carried by thedata packets include a merchant category code or identifier (e.g.,dental, medical, etc.). In some embodiments, the data identifies amerchant, and the CSPS 120 determines a merchant category based on theidentification of the merchant by, for example, using a merchant tomerchant category mapping or lookup table stored in database. In someembodiments, the data packets carrying the request to adjudicate thesingle claim against the electronic benefits account include a datastructure having a first field indicating a merchant identifier, asecond field indicating a total amount of expenditures, and a thirdfield indicating the electronics benefit account. In some embodiments,the data packets are generated by a merchant device (e.g., a clientdevice 102 of a merchant) to conduct an electronic transaction at themerchant, and the data packets carry data identifying a merchantcategory of the merchant, the electronic benefits account maintained andconfigured on the CSPS 120, and a total monetary amount of theelectronic transaction.

The data packets (e.g., payload of the data packets) can furtheridentify an electronic account maintained and configured on the server.The electronic account can be maintained and configured in a database214. The electronic account can correspond to a user and have a uniqueidentifier. The unique identifier can include numbers, letters,characters, symbols, etc. The electronic account can be associated withthe customer making the transaction at the merchant. The POS terminal236 a can receive or determine the electronic account identifier via acard swipe or other communication technique employed at the POS terminal236 a, which the POS 236 a can then convey to the CSPS 120.

The communications interface 120 can further receive data packets (e.g.,payload information) identifying a monetary amount of the electronictransaction, such as a total amount of expenditures. The monetary amountcan be for the purchase of goods or services made at the merchant. Themonetary amount of the transaction can refer to the amount of funds inconsideration for goods or services obtained from the entity ormerchant. The merchant or entity can refer to the entity at which apoint-of-sale terminal or device used to make the transaction is locatedor with which the terminal is associated. The monetary amount can be inany currency (e.g., United States dollars) or units. The monetary amountcan be further tied to a category, such as medical services.

In some embodiments, the POS terminal 236 a can generate multiple datapackets for a single transaction. The multiple data packets can eachinclude a header and a payload. The header can indicate that themultiple data packets are to be grouped together for routing,transmission or processing purposes.

The CSPS 120 can be configured to authenticate communications andtransactions. In some embodiments, the communications interface 204receives communications such as the request to adjudicate the singleclaim. The request can include security credential such as a securitycertificate or security token. The security credential can be associatedwith a user or a merchant. The CSPS 120 can be configured to extract thesecurity credential from the request, and authenticate the request bycomparing the security credential against a known or verified securitycredential. For example, the user profiles and/or merchant informationstored in database 214 can include known or verified securitycredentials for comparison with the security credential of the request.In some embodiments, the CSPS 120 receives the request to adjudicate thesingle claim via the communications interface 204, extracts a securitycredential from the request, analyzes the extracted security credentialto identify a user, queries the database 214 for a verified securitycredential stored with a user profile corresponding to the identifieduser, compares the extracted security credential to the verifiedsecurity credential, and authenticates the request based on theextracted security credential matching the verified security credential.In some embodiments, the CSPS 120 analyzes the extracted securitycredential to identify a merchant, queries the database 214 for averified security credential stored with merchant informationcorresponding to the identified merchant, compares the extractedsecurity credential to the verified security credential, andauthenticates the request based on the extracted security credentialmatching the verified security credential.

In some embodiments, the communications interface 210 can receive datapackets. The data packets can be generated by a first device at a firstmerchant to conduct a first electronic transaction at the firstmerchant. The first device can refer to a POS terminal such as POSterminal 120 a. A point of sale terminal 120 (“POS”) is the place wherea retail transaction is completed. The POS terminal 120 is the point atwhich a customer of the entity or merchant makes a payment to themerchant in exchange for goods or services. At the point of sale themerchant can calculate the amount owed by the customer and provideoptions for the customer to make payment. The merchant can also issue areceipt for the transaction.

The POS terminal 120 can include hardware and software. Merchants canutilize weighing scales, scanners, electronic and manual cash registers,EFTPOS terminals, touch screens and any other wide variety of hardwareand software available for use with POS terminal 120. For example, apharmacy can use software to customize the item or service sold when acustomer has a special medication request.

The POS terminal 120 can include advanced features to cater to differentfunctionality, such as inventory management, CRM, financials,warehousing, flexible spending account transactions, etc., all builtinto the POS software. The point of sale terminal 120 can be configuredto conduct a transactions using a debit card, multipurse card,Bluetooth, near field communications, smartphone, smartwatch, mobiletelecommunications computing device, wearable communications, RFID, etc.

The communications interface 210 can receive data packets generated bythe POS Terminal 120 a responsive to conducting an electronictransaction. The data packets can include header information and payloadinformation. Multiple data packets can be strung together in a sequence.The header information can refer to TCP/IP headers that include fieldssuch as source port, destination port, sequence number, acknowledgmentnumber, window size, etc. The payload information of the data packet caninclude information related to the transaction, merchant, or customer.The system 120 can receive the data packet with header information andpayload information and process the packets to obtain information forfurther processing. The payload can include data identifying a firstmerchant category of the first merchant, an electronic account, and amonetary amount of the electronic transaction.

The data packets can carry data identifying a merchant or merchantcategory of the merchant. In some embodiments, the data carried by thedata packets include a merchant category code or identifier (e.g.,dental, medical, etc.). In some embodiments, the data identifies amerchant, and the system 120 determines a merchant category based on theidentification of the merchant by, for example, using a merchant tomerchant category mapping or lookup table stored in database 214.

The data packets (e.g., payload of the data packets) can furtheridentify an electronic account maintained and configured on the server.The electronic account can be maintained and configured in a database214. The electronic account can correspond to a user and have a uniqueidentifier. The unique identifier can include numbers, letters,characters, symbols, etc. The electronic account can be associated withthe customer making the transaction at the merchant. The POS terminal236 a can receive or determine the electronic account identifier via acard swipe or other communication technique employed at the POS terminal236 a, which the POS 236 a can then convey to the system 120.

The communications interface 204 can further receive data packets (e.g.,payload information) identifying a first monetary amount of the firstelectronic transaction. The monetary amount can be for the purchase ofgoods or services made at the merchant. The monetary amount of thetransaction can refer to the amount of funds in consideration for goodsor services obtained from the entity or merchant. The merchant or entitycan refer to the entity at which a point-of-sale terminal or device usedto make the transaction is located or with which the terminal isassociated. The monetary amount can be in any currency (e.g., UnitedStates dollars) or units. The monetary amount can be further tied to acategory, such as medical services.

In some embodiments, the POS terminal 236 a can generate multiple datapackets for a single transaction. The multiple data packets can eachinclude a header and a payload. The header can indicate that themultiple data packets are to be grouped together for routing,transmission or processing purposes.

The CSPS 120 can include a clusterer 204 designed, constructed andoperational to cluster or group the electronic transactions identifiedin the data packets received by the communications interface 204. Theclusterer 204 can cluster, group, categorize, or otherwise aggregate ororganize the electronic transactions or aspects thereof. The CSPS 120can cluster the source identifier of each of the plurality of electronictransactions based on the intermediary identifier of each of theplurality of electronic transactions to identify a first cluster ofsource identifiers in a first tier having a first intermediaryidentifier, and a second cluster of source identifiers in a second tierhaving a second intermediary identifier.

Each of the electronic transactions can include a source identifier andan intermediary identifier. The electronic transactions can also includea destination identifier. The CSPS 120 can group or cluster theelectronic transactions based on one or more of the source identifier,intermediary identifier, or destination identifier. The intermediaryidentifier can correspond to an entity that configures or authorized thesource identifier, such as an employer device 238 or TPA device 240.

The CSPS 120 can select the clustering scheme based on a segmentationpolicy. The CSPS 120 can use the segmentation policy to select asegmentation level, which can define the type of identifier to use togenerate the clusters. For example, the segmentation level can beemployer level, TPA level, geographic region, participant device level,funding account type level, or merchant category level. The segmentationpolicy can indicate a predetermine segmentation level to use. Thesegmentation policy can indicate the segmentation level to use based ona number of transactions the CSPS 120 received in the data packets for aduration. For example, the CSPS 120 received a large number ofelectronic transaction information, the CSPS 120 may determine to use asegmentation level to cluster the electronic transactions such thatfewer clusters are generated, thereby reducing the amount of downstreamprocessing performed by the CSPS 120, thereby reducing resourceconsumption, and processor utilization, memory utilization. The CSPS 120can compare the number of electronic transactions with a threshold todetermine which segmentation level to use to generate the clusters. Forexample, if the number of electronic transactions received for apredetermined time interval is greater than a threshold, the CSPS 120can determine to generate clusters using a segmentation levelcorresponding to the employer. If, on the other hand, the CSPS 120determines that the number of electronic transactions is less than thethreshold, the CSPS 120 can determine to use a segmentation level thatcorresponds to a merchant category. In some cases, the segmentationpolicy can be configured to increase the sensitivity with which the CSPS120 detects fraud. For example, the segmentation policy can optimize forfraud detection.

For example, the segmentation policy can indicate to generate clustersbased on the employer segmentation level. The CSPS 120 can then identifyelectronic transactions in the received data packets that correspond tothe same employer. The CSPS 120 can identify the electronic transactionscorresponding to the same employer based on an identifier in theelectronic transaction. The identifier can be the intermediaryidentifier, which can map to the identifier of the employer. The CSPS120 can then group all transactions with the same intermediaryidentifier into a first cluster of first tier. Similarly, the CSPS 120can generate a cluster electronic transactions for each correspondingintermediary identifier. For example, the CSPS 120 can generate a secondcluster comprising electronic transactions having a second intermediaryidentifier.

The CSPS 120 can store the clusters in the database 214. The CSPS 120can store the clusters in tier data structures. The CSPS 120 cangenerate a first tier data structure 216 that includes electronictransactions having a same first intermediary identifier 220. Theelectronic transactions grouped in the first tier (or tier 1 datastructure) 216 can have different source identifiers 218. The electronictransactions grouped in the first tier data structure 216 can havedifferent resources identifiers 222. The electronic transactions groupedin the first tier data structure 216 can have different destinationidentifiers. The CSPS 120 can generate a second cluster and store thesecond cluster in database 214 as tier 2 data structure. The tier 2 datastructure can include electronic transactions having the same secondintermediary identifier 228, but different source identifiers 226 orresource identifiers 230 or destination identifiers.

The CSPS 120 can include a model generator 208 designed, constructed oroperational to generate a first model for the first cluster of sourceidentifiers and a second model for the second cluster of sourceidentifiers. The CSPS 120 can store the first model in a first modeldata structure 242, and store the second model in a second model datastructure 244, in database 214. The models (e.g., first model 242 orsecond model 244) can be based on historical electronic transactioninformation. The CSPS 120 can generate the models using the electronictransaction information received via the data packets. The CSPS 120 cangenerate the model using electronic transactions that occurred over atime interval, such as 7 days, 30 days, 60 days or 90 days or some othertime interval. The CSPS 120 can generate the model using electronictransactions that are known to not contain fraudulent transactions. Forexample, the CSPS 120 can generate the model using electronictransactions that are honest or legitimate. The CSPS 120 can generatethe model as a baseline model indicative of the electronic transactionsthat are expected to occur over the time interval for the cluster.

For example, the first model for the first tier can indicate an averagetransaction amount for the time interval, the average frequency oftransactions, the average number of transactions per day, the averagetransactions per hour, the average number of transactions per minute,total amount of transactions, or total amount for the time interval. Themodel can indicate the average transactions per merchant category,geographic area, employer, or TPA. The model can indicate the averagerate of transaction per merchant category, geographic area, employer orTPA. The model can indicate the average transaction amount per merchantcategory, geographic area, employer or TPA. Instead of average, themodel can indicate some other statistical metric, such as median, mode,standard deviation, variance, etc.

For example, the first model can indicate that the average number oftransactions per day for the tier 1 cluster is 10; the averagetransaction amount is $50; and the total amount of transactions for 30days is $15,000. The first model can further indicate that the averagenumber of transactions per day at a merchant category corresponding to apharmacy is 7, and the average number of transactions per day at amerchant category corresponding to a healthcare provider is 3. Inanother example, the second model can indicate that the average numberof transactions per day for the tier 2 cluster is 50, with a standarddeviation of 10 transactions per day, such that approximately 68% ofdays over the time interval each have between 40 to 60 transactionoccurrences. The second model can further indicate that the averageamount for a transaction is $100, and that 50% of the transactions occurat a healthcare service provider merchant category, 10% of transactionsoccur at a dental provider, 10% occur at a vision provider, and theremaining 30% occur at a pharmacy.

The model generator 208 can generate one or more models per cluster,using one or more statistical metrics, parameters, values, orcategories.

The model generator 208 can use a machine learning model to generatemodels for clusters of electronic transactions. The model generator 208can use a machine learning model to determine the segmentation levels touse to generate the models. For example, the model generator cangenerate multiple different models formed from different clusters thatmay include the same source identifier. For example, the first sourceidentifier can be included in a first cluster at the intermediary devicesegmentation level. The first source identifier can also be included ina second cluster that is formed from a geographic area segmentationlevel (e.g., Massachusetts).

The model generator 208 can generate, based on a machine learning model,the first model based on first historical electronic transactionsassociated the first tier that occurred during a first predeterminedtime interval absent the fraudulent electronic transaction. For example,the transactions that occurred during the first predetermined timeinterval may be known to be not fraudulent; e.g., honest or legitimatetransactions. The model generator 208 can generate, based on the machinelearning model, the second model based on second historical electronictransactions associated with the second tier that occurred during asecond predetermined time interval absent the fraudulent electronictransaction, the second predetermined time interval absent thefraudulent electronic transaction and different from the firstpredetermined time interval.

To generate the models, the model generator 208 can select a timeinterval. The model generator 208 can select the time interval from apredetermined list of time intervals, such as 48 hours, 72 hours, 7days, 30 days, 60 days, 90 days. The model generator 208 can select thetime interval based on a number of desired transactions that areexpected to occur in the time interval. The model generator 208 can usea dynamic time interval. The model generator 208 can use a rolling timeinterval in which the model is updated as new data is received by theCSPS 120. The model generator 208 can use different time intervals fordifferent segmentation levels. For example, for a segmentation levelassociated with a large number of transactions (e.g., greater than 1000transactions per day), the model generator 208 can use a smaller timeinterval and still generate a satisfactory model. For a segmentationlevel associated with fewer transactions (e.g., less than 100transactions per day), the model generator 208 can use a larger timeinterval. In some cases, the model generator 208 can select a timeinterval based on a statistical metric of the data. For example, if thevariance is high, then the model generator 208 can determine to use alarger time interval in an effort to get more stable data with which tobuild the model.

The time intervals selected for generation of the model may not includetransactions having fraudulent electronic transactions. The modelgenerator 208 can select the first predetermined time interval absentthe fraudulent electronic transaction to generate the first model basedon a first characteristic of the first tier. Characteristics of the tiercan include, for example, the number of transactions that occur in atime interval, variance, amount of the transactions, segmentation level,merchant category, or other characteristic. The model generator 208 canselect a second, different predetermined time interval to generate thesecond model based on a second characteristic of the second tier.

The model generator 208 can use a machine learning algorithm or neuralnetwork to select time intervals that provide satisfactory models thatcan be used to reliably detect fraud in subsequent electronictransactions.

The model generator 208 can generate models at different levels ofgranularity or segmentation levels. For example, the model generator 208can generate an individual model for a source identifier, which can bereferred to as an electronic transaction model for the first sourceidentifier. This electronic transaction model can be for a sourceidentifier, which can correspond to a user or account. The electronictransaction model can be based on historical electronic transactionsassociated with the source identifier. The CSPS 120 can use theelectronic transaction model to detect a fraudulent electronictransaction having the source identifier. The electronic transaction mayalso have the same intermediary identifier, in which case the CSPS 120can identify a cluster corresponding to the intermediary identifier, andlock all source identifiers associated with the cluster.

The CSPS 120 can include a fraud detector 210 designed, constructed oroperational to detect a fraudulent electronic transaction. The frauddetector 210 can detect the fraudulent electronic transaction using amodel, such as the first model. The fraud detector 210 can detect afraudulent electronic transaction having a first source identifier andthe first intermediary identifier, the first source identifier pointingto a first data structure storing a first resource (e.g., tier 1 datastructure storing first resource 222). The fraud detector 210 can detectthe fraud based on a comparison between the electronic transaction andthe first model.

The fraud detector 210 can detect the fraud based on a comparisonbetween multiple electronic transactions during a time interval and thefirst model. For example, the fraud detector 210 can detect the fraudbased on analyzing multiple electronic transactions during a timeinterval, such as 7 days. The fraud detector 210, via the clusterer 206,can generate a from the multiple electronic transactions, where thecluster is formed form electronic transactions having the same firstintermediary identifier. The fraud detector 210 can receive anindication of this cluster, and then select, from database 214, a modelgenerated from historical, honest electronic transaction activity for acluster with the same intermediary identifier. The fraud detector 210,using the select model, can determine a statistical metric, such as theaverage number of transactions per day which can be 10, for example. Thefraud detector 210 can determine the statistical metric for the currentset of electronic transactions having the same intermediary identifierto be 25 average electronic transactions over the course of 7 days.Responsive to the comparison, the fraud detector 210 can determine thatthe average number of transaction exceeds the modeled average number oftransaction, and then determine that fraud has occurred. In someembodiments, responsive to the comparison, the fraud detector 210 candetermine that the average number of transaction exceeds the modeledaverage number of transaction by a threshold amount (e.g., 25%, 30%,40%, 50%, 100%, 150%, 1 standard deviation, 2 standard deviations, 10transactions, 15 transactions, etc.), and then determine that fraud hasoccurred. The threshold can be an absolute value, such as a number oftransactions, a percentage, a ratio, or a statistical metric such asstandard deviation.

Thus, the fraud detector 210 can detect fraud by comparing current orrecently received electronic transactions with a model generated fromhistorical electronic transactions that have been clustered based on asegmentation level selected using a segmentation policy. In some cases,the fraud detector 210 generates a cluster for the recently receivedelectronic transactions using the segmentation level, and then selects amodel for a cluster generated from the same segmentation level. Thefraud detector 210 can compare the statistical metric for the recentlycreated cluster with the model to detect fraud.

In some cases, the fraud detector 210 can detect fraud in an individualelectronic transaction. For example, a metric of the individualtransaction can vary from the model such that the fraud detector 210determines it to be a fraudulent transaction. For example, the model caninclude an average transaction amount. The statistics around the averagetransaction amount can include a standard deviation. The fraud detector210, using the model, can determine that 99.7% of transactions amountsare within 3 standard deviations of the average. If the fraud detector210 detects one or more electronic transactions having transactionamounts that vary more than 3 standard deviations from the averagetransaction amount, the fraud detector 210 can determine fraud hasoccurred. The fraud detector 210 can perform this fraud detectionprocess on a segmentation level, such as if more than a threshold numberof electronic transactions in a day have transaction amounts that exceedthe 3^(rd) standard deviation, then the fraud detector can determinefraud has occurred.

For example, the mean transaction amount for a second modelcorresponding to a second intermediary identifier (e.g., Employer B) canbe $50. The standard deviation can be $10. The fraud detector 210 candetect a first electronic transaction at the same segmentation level asthe second model that has a transaction amount that exceeds 3 standarddeviations (e.g., $30) from the modeled mean of $50. For example, thefirst electronic transaction can be $15. The fraud detector 210 maydetermine that since 0.3% of the transactions in the model exceed 3standard deviations, that the first electronic transaction may not befraud. Therefore, the fraud detector 210 may not detect fraud for thefirst electronic transaction. However, the fraud detector 210 may thendetect a second electronic transaction on the same day that has anamount of $90 that also exceeds the mean by 3 standard deviation. Thefraud detector 210 can detect fraud on the second electronic transactionbecause that may represent more than the allotted 0.3% that could falloutside of the 3 standard deviations. In some cases, the fraud detector210 may not detect fraud until a threshold number of electronictransactions at the predetermined segmentation level occur within a timeinterval that exceeds a threshold number of standard deviations for themodel corresponding to the segmentation level.

Upon detecting fraud, the fraud detector 210 can generate an alert basedon a type of fraud detected by the centralized state processing system.The type of fraud can refer to the type of model used to detect thefraud, or the characteristic or statistical metric of the model that wasused to detect the fraud. For example, the type of model can refer tothe segmentation level (e.g., individual electronic transaction model,employer segmentation model, TPA segmentation model, geographic areasegmentation model, etc.). The statistic metric of the model used todetect the fraud can include, for example, average transaction amount,average number of transactions per day, standard deviation, etc. Thefraud detector 210 can transmit the alert to a device, such as a deviceassociated with the first intermediary identifier (e.g., employer device238 or TPA device 24).

Upon detecting a fraudulent transaction having a source identifier andintermediary identifier, the fraud detector 210 can provide anindication that a fraudulent electronic transaction has been initiated,in the process of being performed, or already occurred. The CSPS 212 caninclude a packet blocker 212 designed, constructed and operational tolock, responsive to detection of the fraudulent electronic transaction,a data structure to prevent transfer of the resource in electronictransactions associated with the source identifier. The packet blocker212 can prevent the electronic transaction from occurring responsive tothe fraud detector 210 determining that the electronic transaction isfraudulent. The packet blocker 212 can prevent the electronictransaction from occurring by preventing the completion of thetransaction by not transferring the resources from the account requestedby the transaction. The packet blocker 212 can disable the accountcorresponding to the source identifier. The packet blocker 212 can lockthe data structure corresponding to the first source identifier 218 toprevent any funds from being withdrawn from the account, or to preventthe data structure from being manipulated.

Upon determining, by the fraud detector 210, that there may befraudulent transactions occurring at a segmentation level correspondingto an intermediary identifier (e.g., Employer A or TPA A or othersegmentation level), the packet blocker 212 can identify multiple sourceidentifiers associated with segmentation level in order to disable orlock the accounts to prevent further fraudulent transactions fromoccurring. For example, if the fraud detector 210 identifies afraudulent transaction having a first intermediary identifier and usingthe first model corresponding to a first cluster in the first tierformed from electronic transactions having the first intermediaryidentifier, the packet blocker 212 can then identify all sourceidentifiers associated with the first intermediary identifier of thefirst cluster. The packet blocker 212 can determine that since fraud hasoccurred at the first cluster or first tier level (e.g., Employer A),then to prevent further fraud from occurring the accounts that have notyet been associated with a fraudulent transaction but are associatedwith the same first cluster or first tier should also be disabled. Thus,the packet blocker 212 can lock, even absent detection of the fraudulentelectronic transaction in one or more electronic transaction associatedwith the remaining source identifiers, the data structure correspondingto each of the remaining source identifiers in the first cluster ofsource identifiers.

Locking the source identifier can include flagging the account asinactive, temporarily disabled, locked, blocked, or on hold. In somecases, the packet blocker 212 can automatically unlock the account aftera predetermined time interval. In some cases, unlocking the account canrequire a multifactor authentication. In some cases, the CSPS 120 canchange an identifier prior to unlocking the account, such as theintermediary identifier or source identifier.

The packet blocker 212 can block packets carrying electronictransactions associated with one or more of the plurality of sourceidentifiers associated with the tier or cluster in which the frauddetector 210 has detected a fraudulent transaction. In some embodiments,locking the source identifiers can include preventing completion ofelectronic transactions associated with one or more of the sourceidentifiers. When an electronic transaction is blocked or prevented, ora source identifier is locked, the CSPS 120 can send a reply messagethat indicates the transaction is blocked or prevented.

After or subsequent to the one or more source identifiers associatedwith the segmentation level being locked, the CSPS 120 can request orrequire authentication credentials to perform an electronic transaction.For example, the CSPS 120 can request a multi-factor authentication. TheCSPS 120 can request multi-factor authentication responsive to a requestto conduct an electronic transaction associated with a sourceidentifiers that is locked. For example, locking a source identifier caninclude or refer to requesting authentication to perform the electronictransaction or requesting a different type of authentication to performthe electronic transaction (e.g., passcode, username, password, voiceauthentication, acoustic fingerprint, biometric passcode, multi-devicebased authentication, text message based authentication, etc.).

In some cases, the CSPS 120 may not detect fraud on an individualtransaction, but detect fraud when analyzing a cluster of electronictransaction and using a model generated from previously received orhistorical electronic transactions. For example, the individualtransaction model based on the individual source identifier may beconsistent with the current electronic transaction for the sourceidentifier. However, when analyzing electronic transactions in theaggregate for the time interval, the CSPS 120 may detect fraud. Forexample, the CSPS 120 can receive a second plurality of electronictransactions associated with the first tier (e.g., same intermediaryidentifier corresponding to an employer or TPA). The CSPS 120 canauthorize each of the second plurality of electronic transactions basedon not detecting fraud on each of the second plurality of electronictransactions when using corresponding individual transaction models. TheCSPS 120 can then apply a statistical analysis to an aggregate of thesecond plurality of electronic transactions, and detect fraud in thefirst tier based on the statistical analysis applied to the aggregate ofthe second plurality of transactions. Thus, the present solution candetect fraud on a segmentation level when fraud may not be detected onan individual transaction when analyzed independently. The CSPS 120 canthen lock source identifiers associated with the second plurality ofelectronic transactions.

Referring now to FIG. 3, a method of detecting and controlling fraud ina centralized state processing system in accordance with an embodimentis provided. The method 300 can be performed using one or more system orcomponent depicted in FIGS. 1A-1D or FIG. 2, including, for example, acentralized state processing system, communications interface,clusterer, model generator, fraud detector and packet blocker. In briefoverview, the method 300 can include a centralized state processingsystem (“CSPS”) receiving data packets at step 302. The CSPS can clusterelectronic transactions at step 304. The CSPS can generate a model atstep 306. The CSPS can detect fraud at step 308. The CSPS can lock adata structure at step 310. The CSPS can identify additional sourceidentifiers at step 312. At step 314, the CSPS can lock the datastructures associated with the additional identified source identifiers.

Still referring to FIG. 3, and in further detail, the method 300 caninclude the CSPS receiving data packets at step 302. The data packetscan carry multiple electronic transactions. The CSPS can receive thedata packets via a network. The CSPS can retrieve the data packets froma database. The CSPS can receive the data packets in real-time, or abulk upload or batch process. For example, the CSPS can receive the datapackets during a batch process that occurs on a periodic basis, such asevery 24 hours, 12 hours, 36 hours or some other time interval. The CSPScan receive the data packets responsive to a trigger condition or event,such as a request from an administrator of the CSPS, alarm condition,notification, etc.

The data packets can include a header and a payload. The payload cancarry information associated with the electronic transaction. Thepayload can include information that facilitate the performance of theelectronic transaction. The payload can include information such as asource identifier, destination identifier, and an intermediaryidentifier. The source identifier can correspond to an account or datastructure storing a resource that is to be transferred to an entitycorresponding to the destination identifier. The intermediary identifiercan correspond to an entity that established the source identifier oraccount thereof, or otherwise facilitates the performance of theelectronic transaction. For example, the source identifier cancorrespond to an account for a participant of a health care savingsplan. The destination identifier can correspond to a merchant or healthcare service provider. The intermediary identifier can correspond to anemployer or TPA that established the account for the participant. Forexample, the intermediary identifier can correspond to an employer orTPA that provides, maintains, or manages at least a portion of theresource stored in the data structure corresponding to the sourceidentifier.

The CSPS can cluster electronic transactions at step 304. The CSPS cangroup the electronic transactions based on a characteristic that iscommon to the electronic transactions. The characteristic can include anidentifier associated with the electronic transaction, an entityassociated with the electronic transactions, an amount of the electronictransactions, a time of day of the electronic transaction, a merchantcategory associated with the electronic transaction, a geographic regionor area associated with the electronic transaction, or a device typeassociated with or used to perform the electronic transaction. Forexample, the CSPS can cluster the source identifier of each of theelectronic transactions based on the intermediary identifier of each ofthe electronic transactions. Upon clustering, the CSPS can identify afirst cluster of source identifiers in a first tier having a firstintermediary identifier, and a second cluster of source identifiers in asecond tier having a second intermediary identifier. The first tier canrefer to a segmentation level or specific entity. For example, the firsttier can refer to Employer A and the second tier can refer to EmployerB. In some cases, the different tier can correspond to differentsegmentation levels. For example, the first tier can correspond toemployer devices or employers, and the second tier can correspond toTPAs.

Within a tier, the CSPS can identify one or more clusters. For example,within tier 1, the CSPS can generate one or more clusters based on acharacteristic associated with the source identifiers of the first tier.For example, the CSPS can generate a first cluster within tier 1 that isassociated with a first geographic region, and the CSPS can generate asecond cluster also within tier 1 that is associated with a secondgeographic region.

The CSPS can generate a model at step 306. The CSPS can generate a modelfor each cluster. The CSPS can perform a quality check before generatingthe model for a cluster. For example, the CSPS can determine whetherthere are a sufficient number of electronic transactions in the clusterprior to generating a model. The CSPS can determine whether thetransactions are valid before using them to generate the model. Forexample, the CSPS can determine that a transaction is valid if it hasnot been denied, rejected, or flagged as fraudulent. The CSPS candetermine that a transaction is valid if it has not been disputed for apredetermined time period, such as 30 days, 60 days, or a bill paycycle. Thus, the CSPS can generate the model using valid electronictransactions based on a pre-processing technique or quality check.

The CSPS can generate a first model for the first cluster of sourceidentifiers and a second model for the second cluster of sourceidentifiers. The CSPS can generate models for different characteristics.The CSPS can generate a model that includes statistical metricsassociated with the cluster of electronic transactions.

The CSPS can detect fraud at step 308. The CSPS can use a model todetect the fraud. The CSPS can detect that an individual transaction isfraudulent, or that that a group of transactions in the aggregatereflect fraudulent activity or behavior. The CSPS can detect or identifysource identifiers associated with the fraud.

The CSPS can lock a data structure at step 310. The CSPS can lock,responsive to detection of the fraudulent electronic transaction, theaccount or data structure. Locking the account can refer to blocking orpreventing the transaction from occurring or being completed. Preventingthe transaction from being completed can refer to or include preventingresources from being transferred from the source to a destination (e.g.,preventing the transfer of funds in an electronic account). In somecases, the CSPS can lock a data structure to prevent transfer of theresource stored in the data structure.

The CSPS can identify additional source identifiers at step 312. TheCSPS can identify source identifiers associated with the first clusterof source identifiers in the first tier associated with the detectedfraud. The CSPS can identify some or all of the source identifiers inthe same cluster or tier in which a fraudulent transaction was detected.At step 314, the CSPS can lock the data structures associated with theadditional identified source identifiers. The CSPS can lock theadditional source identifiers even though fraud may not have beendetected on a transactions associated with the additionally identifiedsource identifier. This may prevent a fraudulent transaction fromoccurring. By preemptively blocking or locking the additional sourceidentifiers, the CSPS can more efficiently control fraud because thefraud analysis procedure (e.g., comparing a transaction with a model)can be skipped for the additional source identifiers while stilleffectively preventing fraud. Thus, the CSPS can save resources,computing utilization, processor utilization, and network bandwidth bycontrolling fraud on a segmentation level.

Further, the CSPS can detect fraud using an aggregate of electronictransaction to detect fraud on a segmentation level, which mightotherwise go undetected on an individual transaction level. Thus, theCSPS can improve the ability of a system to detect fraud on an aggregatelevel.

It should be understood that the systems described above can providemultiple ones of any or each of those components and these componentscan be provided on either a standalone machine or, in some embodiments,on multiple machines in a distributed system. The systems and methodsdescribed above can be implemented as a method, apparatus or article ofmanufacture using programming or engineering techniques to producesoftware, firmware, hardware, or any combination thereof. In addition,the systems and methods described above can be provided as one or morecomputer-readable programs embodied on or in one or more articles ofmanufacture. The term “article of manufacture” as used herein isintended to encompass code or logic accessible from and embedded in oneor more computer-readable devices, firmware, programmable logic, memorydevices (e.g., EEPROMs, ROMs, PROMs, RAMs, SRAMs, etc.), hardware (e.g.,integrated circuit chip, Field Programmable Gate Array (FPGA),Application Specific Integrated Circuit (ASIC), etc.), electronicdevices, a computer readable non-volatile storage unit (e.g., CD-ROM,floppy disk, hard disk drive, etc.). The article of manufacture can beaccessible from a file server providing access to the computer-readableprograms via a network transmission line, wireless transmission media,signals propagating through space, radio waves, infrared signals, etc.The article of manufacture can be a flash memory card or a magnetictape. The article of manufacture includes hardware logic as well assoftware or programmable code embedded in a computer readable mediumthat is executed by a processor. In general, the computer-readableprograms can be implemented in any programming language, such as LISP,PERL, C, C++, C #, PROLOG, or in any byte code language such as JAVA.The software programs can be stored on or in one or more articles ofmanufacture as object code.

References to “or” may be construed as inclusive so that any termsdescribed using “or” may indicate any of a single, more than one, andall of the described terms.

While various embodiments of the methods and systems have beendescribed, these embodiments are exemplary and in no way limit the scopeof the described methods or systems. Those having skill in the relevantart can effect changes to form and details of the described methods andsystems without departing from the broadest scope of the describedmethods and systems. Thus, the scope of the methods and systemsdescribed herein should not be limited by any of the exemplaryembodiments and should be defined in accordance with the accompanyingclaims and their equivalents.

What is claimed is:
 1. A method, comprising: receiving, by a dataprocessing system comprising one or more processors and memory, datapackets carrying a plurality of electronic transactions, each of theplurality of electronic transactions comprising a source identifiercorresponding to a data structure storing a resource, a destinationidentifier corresponding to a data structure to transfer the resource,and an intermediary identifier corresponding to an entity that providesat least a portion of the resource stored in the data structure;clustering, by the data processing system, the source identifier of eachof the plurality of electronic transactions based on the intermediaryidentifier of each of the plurality of electronic transactions toidentify a first cluster of source identifiers in a first tier of aplurality of tiers having a first intermediary identifier; identifying,by the data processing system, a first model for the first cluster ofsource identifiers trained using machine learning on first historicalelectronic transactions associated with the first tier that occurredduring a first predetermined time interval absent fraudulent electronictransactions; detecting, by the data processing system using the firstmodel, a fraudulent electronic transaction having a first sourceidentifier and the first intermediary identifier, the first sourceidentifier corresponding to a first data structure storing a firstresource; identifying, by the data processing system, a plurality ofsource identifiers associated with the first cluster of sourceidentifiers in the first tier; and locking, by the data processingsystem responsive to detection of the fraudulent electronic transactionusing the first model generated via machine learning with the firsthistorical electronic transactions, absent detection of the fraudulentelectronic transaction in one or more electronic transaction associatedwith the plurality of source identifiers, the data structurecorresponding to each of the plurality of source identifiers in thefirst cluster of source identifiers.
 2. The method of claim 1,comprising: generating the first model based on first historical usingmachine learning; and generating a second model for a second cluster ofsource identifiers in a second tier of the plurality of tiers having asecond intermediary identifier, the second model generating usingmachine learning on second historical electronic transactions associatedwith the second tier that occurred during a second predetermined timeinterval absent the fraudulent electronic transaction, the secondpredetermined time interval absent the fraudulent electronic transactionand different from the first predetermined time interval.
 3. The methodof claim 2, comprising: selecting the first predetermined time intervalabsent the fraudulent electronic transaction to generate the first modelbased on a first characteristic of the first tier; and selecting thesecond predetermined time interval to generate the second model based ona second characteristic of the second tier.
 4. The method of claim 1,comprising: generating an electronic transaction model for the firstsource identifier; using the electronic transaction model to detect thefraudulent electronic transaction having the first source identifier andthe first intermediary identifier; and locking, responsive to detectionof the fraudulent electronic transaction, the first data structure toprevent transfer of the first resource in electronic transactionsassociated with the first source identifier.
 5. The method of claim 1,comprising: receiving a second plurality of electronic transactionsassociated with the first tier; authorizing each of the second pluralityof electronic transactions based on not detecting fraud on each of thesecond plurality of electronic transactions; applying a statisticalanalysis to an aggregate of the second plurality of electronictransactions; detecting fraud in the first tier based on the statisticalanalysis applied to the aggregate of the second plurality oftransactions, wherein fraud is not detected on each of the secondplurality of electronic transactions when analyzed independently; andlocking, by the centralized state processing system, source identifiersassociated with the second plurality of electronic transactions.
 6. Themethod of claim 1, comprising: generating an alert based on a type offraud detected by the centralized state processing system; andtransmitting the alert to a device associated with the firstintermediary identifier.
 7. The method of claim 1, wherein theintermediary identifier of each of the plurality of electronictransactions corresponds to an entity that configures or authorized thesource identifier associated with each of the plurality of electronictransactions.
 8. The method of claim 1, wherein locking the plurality ofsource identifiers associated with the first tier that are not detectedto be fraudulent comprises: blocking packets carrying electronictransactions associated with one or more of the plurality of sourceidentifiers.
 9. The method of claim 1, wherein locking the plurality ofsource identifiers associated with the first tier that are not detectedto be fraudulent comprises: preventing completion of electronictransactions associated with one or more of the plurality of sourceidentifiers.
 10. The method of claim 1, comprising: subsequent tolocking the plurality of source identifiers associated with the firsttier, requesting multi-factor authentication responsive to a request toconduct an electronic transaction associated with one or more of theplurality of source identifiers that are locked.
 11. A system,comprising: a data processing system comprising one or more processorsand memory that execute a fraud detector to: receive data packetscarrying a plurality of electronic transactions, each of the pluralityof electronic transactions comprising a source identifier correspondingto a data structure storing a resource, a destination identifiercorresponding to a data structure to transfer the resource, and anintermediary identifier corresponding to an entity that provides atleast a portion of the resource stored in the data structure; clusterthe source identifier of each of the plurality of electronictransactions based on the intermediary identifier of each of theplurality of electronic transactions to identify a first cluster ofsource identifiers in a first tier of a plurality of tiers having afirst intermediary identifier; identify a first model for the firstcluster of source identifiers trained using machine learning on firsthistorical electronic transactions associated with the first tier thatoccurred during a first predetermined time interval absent fraudulentelectronic transactions; detect, using the first model, a fraudulentelectronic transaction having a first source identifier and the firstintermediary identifier, the first source identifier corresponding to afirst data structure storing a first resource; identify a plurality ofsource identifiers associated with the first cluster of sourceidentifiers in the first tier; and lock, responsive to detection of thefraudulent electronic transaction using the first model generated viamachine learning with the first historical electronic transactions, andabsent detection of the fraudulent electronic transaction in one or moreelectronic transaction associated with the plurality of sourceidentifiers, the data structure corresponding to each of the pluralityof source identifiers in the first cluster of source identifiers. 12.The system of claim 11, wherein the centralized data state processingsystem is further configured to: generate the first model using machinelearning; and generate a second model for a second cluster of sourceidentifiers in a second tier of the plurality of tiers having a secondintermediary identifier, the second model generating using machinelearning on second historical electronic transactions associated thesecond tier that occurred during a second predetermined time intervalabsent the fraudulent electronic transaction, the second predeterminedtime interval absent the fraudulent electronic transaction and differentfrom the first predetermined time interval.
 13. The system of claim 12,wherein the data state processing system is further configured to:select the first predetermined time interval absent the fraudulentelectronic transaction to generate the first model based on a firstcharacteristic of the first tier; and select the second predeterminedtime interval to generate the second model based on a secondcharacteristic of the second tier.
 14. The system of claim 11, whereinthe data state processing system is further configured to: generate anelectronic transaction model for the first source identifier; use theelectronic transaction model to detect the fraudulent electronictransaction having the first source identifier and the firstintermediary identifier; and locking, responsive to detection of thefraudulent electronic transaction, the first data structure to preventtransfer of the first resource in electronic transactions associatedwith the first source identifier.
 15. The system of claim 11, whereinthe data state processing system is further configured to: receive asecond plurality of electronic transactions associated with the firsttier; authorize each of the second plurality of electronic transactionsbased on not detecting fraud on each of the second plurality ofelectronic transactions; apply a statistical analysis to an aggregate ofthe second plurality of electronic transactions; detect fraud in thefirst tier based on the statistical analysis applied to the aggregate ofthe second plurality of transactions, wherein fraud is not detected oneach of the second plurality of electronic transactions when analyzedindependently; and lock source identifiers associated with the secondplurality of electronic transactions.
 16. The system of claim 11,wherein the data state processing system is further configured to:generate an alert based on a type of fraud detected by the centralizedstate processing system; and transmit the alert to a device associatedwith the first intermediary identifier.
 17. The system of claim 11,wherein the intermediary identifier of each of the plurality ofelectronic transactions corresponds to an entity that configures orauthorized the source identifier associated with each of the pluralityof electronic transactions.
 18. The system of claim 11, wherein the datastate processing system is further configured to: block packets carryingelectronic transactions associated with one or more of the plurality ofsource identifiers.
 19. The system of claim 11, wherein the data stateprocessing system is further configured to: preventing completion ofelectronic transactions associated with one or more of the plurality ofsource identifiers.
 20. The system of claim 11, wherein the data stateprocessing system is further configured to: subsequent to the pluralityof source identifiers associated with the first tier locked, requestmulti-factor authentication responsive to a request to conduct anelectronic transaction associated with one or more of the plurality ofsource identifiers that are locked.